Platform SDK: Internet Information Services 6.0
Request.Cookies Collection
The Cookies collection enables you to retrieve the values
of the cookies sent in an HTTP request.
Cookies should never be used to store secure data, such as
passwords. Cookies are transmitted as clear text. If a malicious
user taps an internet connection, then they can take cookie data to
impersonate a client and gain access to their data. If you must
transmit sensitive data, do so on a Secure Sockets Layer (SSL)
connection. For more information on SSL, see "Secure Sockets Layer"
in IIS Help, which is accessible from IIS Manager.
As a security precaution, always encode cookie data (or any
request data) before using it. A general method of encoding data is
to use Server.HTMLEncode. Another
method is to write a short function that tests request data for
invalid characters. More information can be found by reading
chapter 12 of Writing Secure Code, and using Checklist: ASP Security when you
create your ASP applications.
Syntax
Request.Cookies(
cookie)[(
key)|.attribute]
Parameters
- cookie
- Specifies the cookie whose value should be retrieved.
- key
- An optional parameter used to retrieve subkey values from
cookie dictionaries.
- attribute
- Specifies information about the cookie itself. The attribute
parameter can be the following.
| Name | Description |
| HasKeys | Read-only. Specifies whether the cookie contains keys. |
Remarks
You can access the subkeys of a cookie dictionary by including a
value for key. If a cookie dictionary is accessed without
specifying key, all of the keys are returned as a single
query string. For example, if MyCookie has two keys,
First and Second, and you do not specify either of these
keys in a call to Request.Cookies, the following string is
returned.
First=firstkeyvalue&Second=secondkeyvalue
If two cookies with the same name are sent by the client
browser, Request.Cookies returns the one with the deeper
path structure. For example, if two cookies had the same name but
one had a path attribute of /Www/ and the other of /Www/Home/, the
client browser would send both cookies to the /Www/Home/ directory,
but Request.Cookies would only return the second cookie.
To determine whether a cookie is a cookie dictionary (whether
the cookie has keys), use the following script.
<%= Request.Cookies("myCookie").HasKeys %>
If MyCookie is a cookie dictionary, the preceding value
evaluates to TRUE. Otherwise, it evaluates to FALSE.
You can iterate through all the cookies in the Cookie
collection, or all the keys in a cookie. However, iterating through
keys on a cookie that does not have keys will not produce any
output. You can avoid this situation by first checking to see
whether a cookie has keys by using the .HasKeys
syntax, as shown in the following example:
<%
For Each strKey In Request.Cookies
Response.Write strKey & " = " & Request.Cookies(strKey) & "<BR>"
If Request.Cookies(strKey).HasKeys Then
For Each strSubKey In Request.Cookies(strKey)
Response.Write "->" & strKey & "(" & strSubKey & ") = " & _
Request.Cookies(strKey)(strSubKey) & "<BR>"
Next
End If
Next
%>
Example
The following example prints the value of MyCookie on a
Web page.
Here is the value of the cookie named MyCookie:
<%= Request.Cookies("myCookie") %>
.gif)
Note
Cookies are described in detail in the HTTP state
management specification, which is available on the World Wide Web Consortium Web site.
Applies To
Request Object