Simple question I think, but I just can\'t seem to find an answer.
I am writing a cookie in a Java Servlet with the Cookie class which is sent to the browser in the resp
Well, I haven't seen much activity on this question, so I'm going to attempt to answer this in order to provide help to anyone looking for an answer in the future. However, I'll leave it open to give others an opportunity to jump in if they choose.
So there were a couple of options that I considered...
1)
Apache Commons HTTPClient project has a "DateUtil" class that I was hoping would work. http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/util/DateUtil.html. This provides convenience methods to format the date into a few standard formats to communicate dates in http headers... however, none of them seemed to match exactly what was being returned by the servlet container.
2)
Apache Commons also has a Cookie class in that project, which has a "toExternalForm" method that returns a String. Using that, I thought I may have been able to just create the cookie per usual, call "toExternalForm", then append "HTTPOnly". http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/Cookie.html. That might work, but I didn't bother trying.
3)
I finally decided just to use a pattern that matched what my Servlet container was returning, regardless of whether it was a standard format or not. If it is what the Servlet container returns, then it should work, right? Why not...
SimpleDateFormat COOKIE_EXPIRES_HEADER_FORMAT = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz");
COOKIE_EXPIRES_HEADER_FORMAT.setTimeZone(new SimpleTimeZone(0, "GMT"));
Date d = new Date();
d.setTime(d.getTime() + 3600 * 1000); //1 hour
String cookieLifeTime = COOKIE_EXPIRES_HEADER_FORMAT.format(d);
response.setHeader("Set-Cookie", "test=somevalue; Domain=.mydomain.org; Expires=" + cookieLifeTime + "; Path=/; HTTPOnly");
Something like this :
Date expdate = new Date ();
expdate.setTime (expdate.getTime() + (3600 * 1000));
String cookieExpire = "expires=" + expdate.toGMTString();
...
.. and since toGMTString() is deprecated
Date expdate= new Date();
expdate.setTime (expdate.getTime() + (3600 * 1000));
DateFormat df = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz", java.util.Locale.US);
df.setTimeZone(TimeZone.getTimeZone("GMT"));
String cookieExpire = "expires=" + df.format(expdate);
Java 8 now supplies an appropriate date formatter, DateTimeFormatter.RFC_1123_DATE_TIME:
OffsetDateTime oneHourFromNow
= OffsetDateTime.now(ZoneOffset.UTC)
.plus(Duration.ofHours(1));
String cookieExpires
= DateTimeFormatter.RFC_1123_DATE_TIME
.format(oneHourFromNow);
// E.g. "Tue, 8 Nov 2016 20:15:46 GMT"
This format is valid for the the expires
attribute, see RFC 6265 § 4.1.1, which defines the format to be an RFC 1123 date:
expires-av = "Expires=" sane-cookie-date sane-cookie-date = <rfc1123-date, defined in [RFC2616], Section 3.3.1>
The first answer given by JasonStoltz is the correct one:
1) Apache Commons HTTPClient project has a "DateUtil" class that I was hoping would work. http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/util/DateUtil.html. This provides convenience methods to format the date into a few standard formats to communicate dates in http headers... however, none of them seemed to match exactly what was being returned by the servlet container.
Use a DateTime library to get a date object for one hour in the future (or whatever time), and then use the Apache DateUtil class. That class outputs according to the RFC, so you do not have to worry that it does not match what your servlet 'usually produces' - browsers will respect the RFC!
Your code will look something like this:
// for one hour later (should probably use date libraries in general, this is somewhat awkward)
Date expiresDate = new Date(new Date().getTime() + 3600*1000);
response.setHeader("Set-Cookie", "Expires=" + DateUtil.formatDate(expiresDate) + ";");