NAME

HTTP::CookieJar - A minimalist HTTP user agent cookie jar

VERSION

version 0.010

SYNOPSIS

use HTTP::CookieJar;

my $jar = HTTP::CookieJar->new;

# add cookie received from a request
$jar->add( "http://www.example.com/", "CUSTOMER=WILE_E_COYOTE; Path=/; Domain=example.com" );

# extract cookie header for a given request
my $cookie = $jar->cookie_header( "http://www.example.com/" );

DESCRIPTION

This module implements a minimalist HTTP user agent cookie jar in conformance with RFC 6265.

Unlike the commonly used HTTP::Cookies module, this module does not require use of HTTP::Request and HTTP::Response objects. An LWP-compatible adapter is available as HTTP::CookieJar::LWP.

CONSTRUCTORS

new

my $jar = HTTP::CookieJar->new;

Return a new, empty cookie jar

METHODS

add

$jar->add(
    "http://www.example.com/", "lang=en-US; Path=/; Domain=example.com"
);

Given a request URL and a Set-Cookie header string, attempts to adds the cookie to the jar. If the cookie is expired, instead it deletes any matching cookie from the jar. A Max-Age attribute will be converted to an absolute Expires attribute.

It will throw an exception if the request URL is missing or invalid. Returns true if successful cookie processing or undef/empty-list on failure.

clear

$jar->clear

Empties the cookie jar.

cookies_for

my @cookies = $jar->cookies_for("http://www.example.com/foo/bar");

Given a request URL, returns a list of hash references representing cookies that should be sent. The hash references are copies -- changing values will not change the cookies in the jar.

Cookies set secure will only be returned if the request scheme is https. Expired cookies will not be returned.

Keys of a cookie hash reference might include:

  • name -- the name of the cookie

  • value -- the value of the cookie

  • domain -- the domain name to which the cookie applies

  • path -- the path to which the cookie applies

  • expires -- if present, when the cookie expires in epoch seconds

  • secure -- if present, the cookie was set Secure

  • httponly -- if present, the cookie was set HttpOnly

  • hostonly -- if present, the cookie may only be used with the domain as a host

  • creation_time -- epoch seconds since the cookie was first stored

  • last_access_time -- epoch seconds since the cookie was last stored

Keep in mind that httponly means it should only be used in requests and not made available via Javascript, etc. This is pretty meaningless for Perl user agents.

Generally, user agents should use the cookie_header method instead.

It will throw an exception if the request URL is missing or invalid.

my $header = $jar->cookie_header("http://www.example.com/foo/bar");

Given a request URL, returns a correctly-formatted string with all relevant cookies for the request. This string is ready to be used in a Cookie header in an HTTP request. E.g.:

SID=31d4d96e407aad42; lang=en-US

It follows the same exclusion rules as cookies_for.

If the request is invalid or no cookies apply, it will return an empty string.

dump_cookies

my @list = $jar->dump_cookies;
my @list = $jar->dump_cookies( { persistent => 1 } );

Returns a list of raw cookies in string form. The strings resemble what would be received from Set-Cookie headers, but with additional internal fields. The list is only intended for use with load_cookies to allow cookie jar persistence.

If a hash reference with a true persistent key is given as an argument, cookies without an Expires time (i.e. "session cookies") will be omitted.

Here is a trivial example of saving a cookie jar file with Path::Tiny:

path("jar.txt")->spew( join "\n", $jar->dump_cookies );

load_cookies

$jar->load_cookies( @cookies );

Given a list of cookie strings from dump_cookies, it adds them to the cookie jar. Cookies added in this way will supersede any existing cookies with similar domain, path and name.

It returns the jar object for convenience when loading a new object:

my $jar = HTTP::CookieJar->new->load_cookies( @cookies );

Here is a trivial example of loading a cookie jar file with Path::Tiny:

my $jar = HTTP::CookieJar->new->load_cookies(
    path("jar.txt")->lines
);

LIMITATIONS AND CAVEATS

RFC 6265 vs prior standards

This modules adheres as closely as possible to the user-agent rules of RFC 6265. Therefore, it does not handle nor generate Set-Cookie2 and Cookie2 headers, implement .local suffixes, or do path/domain matching in accord with prior RFC's.

Internationalized domain names

Internationalized domain names given in requests must be properly encoded in ASCII form.

Public suffixes

If Mozilla::PublicSuffix is installed, cookie domains will be checked against the public suffix list. Public suffix cookies are only allowed as host-only cookies.

Third-party cookies

According to RFC 6265, a cookie may be accepted only if has no Domain attribute (in which case it is "host-only") or if the Domain attribute is a suffix of the request URL. This effectively prohibits Site A from setting a cookie for unrelated Site B, which is one potential third-party cookie vector.

SEE ALSO

AUTHOR

David Golden <dagolden@cpan.org>

CONTRIBUTORS

  • Dan Book <grinnz@grinnz.com>

  • David Golden <xdg@xdg.me>

  • jvolkening <jdv@base2bio.com>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2013 by David Golden.

This is free software, licensed under:

The Apache License, Version 2.0, January 2004