Jetty Logo
Version: 9.4.26.v20200117
Contact the core Jetty developers at

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development

Cookies Support

Special Characters in Cookies

Jetty HTTP client supports cookies out of the box. The HttpClient instance receives cookies from HTTP responses and stores them in a, a class that is part of the JDK. When new requests are made, the cookie store is consulted and if there are matching cookies (that is, cookies that are not expired and that match domain and path of the request) then they are added to the requests.

Applications can programmatically access the cookie store to find the cookies that have been set:

CookieStore cookieStore = httpClient.getCookieStore();
List<HttpCookie> cookies = cookieStore.get(URI.create(""));

Applications can also programmatically set cookies as if they were returned from a HTTP response:

CookieStore cookieStore = httpClient.getCookieStore();
HttpCookie cookie = new HttpCookie("foo", "bar");
cookieStore.add(URI.create(""), cookie);

Cookies may be added only for a particular request:

ContentResponse response = httpClient.newRequest("")
        .cookie(new HttpCookie("foo", "bar"))

You can remove cookies that you do not want to be sent in future HTTP requests:

CookieStore cookieStore = httpClient.getCookieStore();
URI uri = URI.create("");
List<HttpCookie> cookies = cookieStore.get(uri);
for (HttpCookie cookie : cookies)
    cookieStore.remove(uri, cookie);

If you want to totally disable cookie handling, you can install a HttpCookieStore.Empty instance in this way:

httpClient.setCookieStore(new HttpCookieStore.Empty());

You can enable cookie filtering by installing a cookie store that performs the filtering logic in this way:

httpClient.setCookieStore(new GoogleOnlyCookieStore());

public class GoogleOnlyCookieStore extends HttpCookieStore
    public void add(URI uri, HttpCookie cookie)
        if (uri.getHost().endsWith(""))
            super.add(uri, cookie);

The example above will retain only cookies that come from the domain or sub-domains.

Special Characters in Cookies

Jetty is compliant with RFC6265, and as such care must be taken when setting a cookie value that includes special characters such as ;.

Previously, Version=1 cookies defined in RFC2109 (and continued in RFC2965) allowed for special/reserved characters to be enclosed within double quotes when declared in a Set-Cookie response header:

Set-Cookie: foo="bar;baz";Version=1;Path="/secur"

This was added to the HTTP Response header as follows:

Cookie cookie = new Cookie("foo", "bar;baz");

The introduction of RFC6265 has rendered this approach no longer possible; users are now required to encode cookie values that use these special characters. This can be done utilizing javax.servlet.http.Cookie as follows:

Cookie cookie = new Cookie("foo", URLEncoder.encode("bar;baz", "utf-8"));

Jetty validates all cookie names and values being added to the HttpServletResponse via the addCookie(Cookie) method. If an illegal value is discovered Jetty will throw an IllegalArgumentException with the details.

See an error or something missing? Contribute to this documentation at Github!(Generated: 2020-01-17)