okhttp3.Cookie.kt Maven / Gradle / Ivy
* Copyright (C) 2015 Square, Inc.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* See the License for the specific language governing permissions and
* limitations under the License.
package okhttp3
import okhttp3.internal.UTC
import okhttp3.internal.canParseAsIpAddress
import okhttp3.internal.delimiterOffset
import okhttp3.internal.http.MAX_DATE
import okhttp3.internal.http.toHttpDateString
import okhttp3.internal.indexOfControlOrNonAscii
import okhttp3.internal.publicsuffix.PublicSuffixDatabase
import okhttp3.internal.toCanonicalHost
import okhttp3.internal.trimSubstring
import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
import java.util.Calendar
import java.util.Collections
import java.util.Date
import java.util.GregorianCalendar
import java.util.Locale
import java.util.regex.Pattern
* An [RFC 6265](http://tools.ietf.org/html/rfc6265) Cookie.
* This class doesn't support additional attributes on cookies, like
* [Chromium's Priority=HIGH extension][chromium_extension].
* [chromium_extension]: https://code.google.com/p/chromium/issues/detail?id=232693
class Cookie private constructor(
/** Returns a non-empty string with this cookie's name. */
@get:JvmName("name") val name: String,
/** Returns a possibly-empty string with this cookie's value. */
@get:JvmName("value") val value: String,
* Returns the time that this cookie expires, in the same format as [System.currentTimeMillis].
* This is December 31, 9999 if the cookie is [persistent], in which case it will expire at the
* end of the current session.
* This may return a value less than the current time, in which case the cookie is already
* expired. Webservers may return expired cookies as a mechanism to delete previously set cookies
* that may or may not themselves be expired.
@get:JvmName("expiresAt") val expiresAt: Long,
* Returns the cookie's domain. If [hostOnly] returns true this is the only domain that matches
* this cookie; otherwise it matches this domain and all subdomains.
@get:JvmName("domain") val domain: String,
* Returns this cookie's path. This cookie matches URLs prefixed with path segments that match
* this path's segments. For example, if this path is `/foo` this cookie matches requests to
* `/foo` and `/foo/bar`, but not `/` or `/football`.
@get:JvmName("path") val path: String,
/** Returns true if this cookie should be limited to only HTTPS requests. */
@get:JvmName("secure") val secure: Boolean,
* Returns true if this cookie should be limited to only HTTP APIs. In web browsers this prevents
* the cookie from being accessible to scripts.
@get:JvmName("httpOnly") val httpOnly: Boolean,
/** Returns true if this cookie does not expire at the end of the current session. */
@get:JvmName("persistent") val persistent: Boolean, // True if 'expires' or 'max-age' is present.
* Returns true if this cookie's domain should be interpreted as a single host name, or false if
* it should be interpreted as a pattern. This flag will be false if its `Set-Cookie` header
* included a `domain` attribute.
* For example, suppose the cookie's domain is `example.com`. If this flag is true it matches
* **only** `example.com`. If this flag is false it matches `example.com` and all subdomains
* including `api.example.com`, `www.example.com`, and `beta.api.example.com`.
@get:JvmName("hostOnly") val hostOnly: Boolean // True unless 'domain' is present.
) {
* Returns true if this cookie should be included on a request to [url]. In addition to this
* check callers should also confirm that this cookie has not expired.
fun matches(url: HttpUrl): Boolean {
val domainMatch = if (hostOnly) {
url.host == domain
} else {
domainMatch(url.host, domain)
if (!domainMatch) return false
if (!pathMatch(url, path)) return false
return !secure || url.isHttps
override fun equals(other: Any?): Boolean {
return other is Cookie &&
other.name == name &&
other.value == value &&
other.expiresAt == expiresAt &&
other.domain == domain &&
other.path == path &&
other.secure == secure &&
other.httpOnly == httpOnly &&
other.persistent == persistent &&
other.hostOnly == hostOnly
@IgnoreJRERequirement // As of AGP 3.4.1, D8 desugars API 24 hashCode methods.
override fun hashCode(): Int {
var result = 17
result = 31 * result + name.hashCode()
result = 31 * result + value.hashCode()
result = 31 * result + expiresAt.hashCode()
result = 31 * result + domain.hashCode()
result = 31 * result + path.hashCode()
result = 31 * result + secure.hashCode()
result = 31 * result + httpOnly.hashCode()
result = 31 * result + persistent.hashCode()
result = 31 * result + hostOnly.hashCode()
return result
override fun toString(): String = toString(false)
message = "moved to val",
replaceWith = ReplaceWith(expression = "name"),
level = DeprecationLevel.ERROR)
fun name(): String = name
message = "moved to val",
replaceWith = ReplaceWith(expression = "value"),
level = DeprecationLevel.ERROR)
fun value(): String = value
message = "moved to val",
replaceWith = ReplaceWith(expression = "persistent"),
level = DeprecationLevel.ERROR)
fun persistent(): Boolean = persistent
message = "moved to val",
replaceWith = ReplaceWith(expression = "expiresAt"),
level = DeprecationLevel.ERROR)
fun expiresAt(): Long = expiresAt
message = "moved to val",
replaceWith = ReplaceWith(expression = "hostOnly"),
level = DeprecationLevel.ERROR)
fun hostOnly(): Boolean = hostOnly
message = "moved to val",
replaceWith = ReplaceWith(expression = "domain"),
level = DeprecationLevel.ERROR)
fun domain(): String = domain
message = "moved to val",
replaceWith = ReplaceWith(expression = "path"),
level = DeprecationLevel.ERROR)
fun path(): String = path
message = "moved to val",
replaceWith = ReplaceWith(expression = "httpOnly"),
level = DeprecationLevel.ERROR)
fun httpOnly(): Boolean = httpOnly
message = "moved to val",
replaceWith = ReplaceWith(expression = "secure"),
level = DeprecationLevel.ERROR)
fun secure(): Boolean = secure
* @param forObsoleteRfc2965 true to include a leading `.` on the domain pattern. This is
* necessary for `example.com` to match `www.example.com` under RFC 2965. This extra dot is
* ignored by more recent specifications.
internal fun toString(forObsoleteRfc2965: Boolean): String {
return buildString {
if (persistent) {
if (expiresAt == Long.MIN_VALUE) {
append("; max-age=0")
} else {
append("; expires=").append(Date(expiresAt).toHttpDateString())
if (!hostOnly) {
append("; domain=")
if (forObsoleteRfc2965) {
append("; path=").append(path)
if (secure) {
append("; secure")
if (httpOnly) {
append("; httponly")
return toString()
* Builds a cookie. The [name], [value], and [domain] values must all be set before calling
* [build].
class Builder {
private var name: String? = null
private var value: String? = null
private var expiresAt = MAX_DATE
private var domain: String? = null
private var path = "/"
private var secure = false
private var httpOnly = false
private var persistent = false
private var hostOnly = false
fun name(name: String) = apply {
require(name.trim() == name) { "name is not trimmed" }
this.name = name
fun value(value: String) = apply {
require(value.trim() == value) { "value is not trimmed" }
this.value = value
fun expiresAt(expiresAt: Long) = apply {
var expiresAt = expiresAt
if (expiresAt <= 0L) expiresAt = Long.MIN_VALUE
if (expiresAt > MAX_DATE) expiresAt = MAX_DATE
this.expiresAt = expiresAt
this.persistent = true
* Set the domain pattern for this cookie. The cookie will match [domain] and all of its
* subdomains.
fun domain(domain: String): Builder = domain(domain, false)
* Set the host-only domain for this cookie. The cookie will match [domain] but none of
* its subdomains.
fun hostOnlyDomain(domain: String): Builder = domain(domain, true)
private fun domain(domain: String, hostOnly: Boolean) = apply {
val canonicalDomain = domain.toCanonicalHost()
?: throw IllegalArgumentException("unexpected domain: $domain")
this.domain = canonicalDomain
this.hostOnly = hostOnly
fun path(path: String) = apply {
require(path.startsWith("/")) { "path must start with '/'" }
this.path = path
fun secure() = apply {
this.secure = true
fun httpOnly() = apply {
this.httpOnly = true
fun build(): Cookie {
return Cookie(
name ?: throw NullPointerException("builder.name == null"),
value ?: throw NullPointerException("builder.value == null"),
domain ?: throw NullPointerException("builder.domain == null"),
companion object {
private val YEAR_PATTERN = Pattern.compile("(\\d{2,4})[^\\d]*")
private val MONTH_PATTERN =
private val DAY_OF_MONTH_PATTERN = Pattern.compile("(\\d{1,2})[^\\d]*")
private val TIME_PATTERN = Pattern.compile("(\\d{1,2}):(\\d{1,2}):(\\d{1,2})[^\\d]*")
private fun domainMatch(urlHost: String, domain: String): Boolean {
if (urlHost == domain) {
return true // As in 'example.com' matching 'example.com'.
return urlHost.endsWith(domain) &&
urlHost[urlHost.length - domain.length - 1] == '.' &&
private fun pathMatch(url: HttpUrl, path: String): Boolean {
val urlPath = url.encodedPath
if (urlPath == path) {
return true // As in '/foo' matching '/foo'.
if (urlPath.startsWith(path)) {
if (path.endsWith("/")) return true // As in '/' matching '/foo'.
if (urlPath[path.length] == '/') return true // As in '/foo' matching '/foo/bar'.
return false
* Attempt to parse a `Set-Cookie` HTTP header value [setCookie] as a cookie. Returns null if
* [setCookie] is not a well-formed cookie.
fun parse(url: HttpUrl, setCookie: String): Cookie? =
parse(System.currentTimeMillis(), url, setCookie)
internal fun parse(currentTimeMillis: Long, url: HttpUrl, setCookie: String): Cookie? {
val cookiePairEnd = setCookie.delimiterOffset(';')
val pairEqualsSign = setCookie.delimiterOffset('=', endIndex = cookiePairEnd)
if (pairEqualsSign == cookiePairEnd) return null
val cookieName = setCookie.trimSubstring(endIndex = pairEqualsSign)
if (cookieName.isEmpty() || cookieName.indexOfControlOrNonAscii() != -1) return null
val cookieValue = setCookie.trimSubstring(pairEqualsSign + 1, cookiePairEnd)
if (cookieValue.indexOfControlOrNonAscii() != -1) return null
var expiresAt = MAX_DATE
var deltaSeconds = -1L
var domain: String? = null
var path: String? = null
var secureOnly = false
var httpOnly = false
var hostOnly = true
var persistent = false
var pos = cookiePairEnd + 1
val limit = setCookie.length
while (pos < limit) {
val attributePairEnd = setCookie.delimiterOffset(';', pos, limit)
val attributeEqualsSign = setCookie.delimiterOffset('=', pos, attributePairEnd)
val attributeName = setCookie.trimSubstring(pos, attributeEqualsSign)
val attributeValue = if (attributeEqualsSign < attributePairEnd) {
setCookie.trimSubstring(attributeEqualsSign + 1, attributePairEnd)
} else {
when {
attributeName.equals("expires", ignoreCase = true) -> {
try {
expiresAt = parseExpires(attributeValue, 0, attributeValue.length)
persistent = true
} catch (_: IllegalArgumentException) {
// Ignore this attribute, it isn't recognizable as a date.
attributeName.equals("max-age", ignoreCase = true) -> {
try {
deltaSeconds = parseMaxAge(attributeValue)
persistent = true
} catch (_: NumberFormatException) {
// Ignore this attribute, it isn't recognizable as a max age.
attributeName.equals("domain", ignoreCase = true) -> {
try {
domain = parseDomain(attributeValue)
hostOnly = false
} catch (_: IllegalArgumentException) {
// Ignore this attribute, it isn't recognizable as a domain.
attributeName.equals("path", ignoreCase = true) -> {
path = attributeValue
attributeName.equals("secure", ignoreCase = true) -> {
secureOnly = true
attributeName.equals("httponly", ignoreCase = true) -> {
httpOnly = true
pos = attributePairEnd + 1
// If 'Max-Age' is present, it takes precedence over 'Expires', regardless of the order the two
// attributes are declared in the cookie string.
if (deltaSeconds == Long.MIN_VALUE) {
expiresAt = Long.MIN_VALUE
} else if (deltaSeconds != -1L) {
val deltaMilliseconds = if (deltaSeconds <= Long.MAX_VALUE / 1000) {
deltaSeconds * 1000
} else {
expiresAt = currentTimeMillis + deltaMilliseconds
if (expiresAt < currentTimeMillis || expiresAt > MAX_DATE) {
expiresAt = MAX_DATE // Handle overflow & limit the date range.
// If the domain is present, it must domain match. Otherwise we have a host-only cookie.
val urlHost = url.host
if (domain == null) {
domain = urlHost
} else if (!domainMatch(urlHost, domain)) {
return null // No domain match? This is either incompetence or malice!
// If the domain is a suffix of the url host, it must not be a public suffix.
if (urlHost.length != domain.length &&
PublicSuffixDatabase.get().getEffectiveTldPlusOne(domain) == null) {
return null
// If the path is absent or didn't start with '/', use the default path. It's a string like
// '/foo/bar' for a URL like 'http://example.com/foo/bar/baz'. It always starts with '/'.
if (path == null || !path.startsWith("/")) {
val encodedPath = url.encodedPath
val lastSlash = encodedPath.lastIndexOf('/')
path = if (lastSlash != 0) encodedPath.substring(0, lastSlash) else "/"
return Cookie(cookieName, cookieValue, expiresAt, domain, path, secureOnly, httpOnly,
persistent, hostOnly)
/** Parse a date as specified in RFC 6265, section 5.1.1. */
private fun parseExpires(s: String, pos: Int, limit: Int): Long {
var pos = pos
pos = dateCharacterOffset(s, pos, limit, false)
var hour = -1
var minute = -1
var second = -1
var dayOfMonth = -1
var month = -1
var year = -1
val matcher = TIME_PATTERN.matcher(s)
while (pos < limit) {
val end = dateCharacterOffset(s, pos + 1, limit, true)
matcher.region(pos, end)
when {
hour == -1 && matcher.usePattern(TIME_PATTERN).matches() -> {
hour = Integer.parseInt(matcher.group(1))
minute = Integer.parseInt(matcher.group(2))
second = Integer.parseInt(matcher.group(3))
dayOfMonth == -1 && matcher.usePattern(DAY_OF_MONTH_PATTERN).matches() -> {
dayOfMonth = Integer.parseInt(matcher.group(1))
month == -1 && matcher.usePattern(MONTH_PATTERN).matches() -> {
val monthString = matcher.group(1).toLowerCase(Locale.US)
month = MONTH_PATTERN.pattern().indexOf(monthString) / 4 // Sneaky! jan=1, dec=12.
year == -1 && matcher.usePattern(YEAR_PATTERN).matches() -> {
year = Integer.parseInt(matcher.group(1))
pos = dateCharacterOffset(s, end + 1, limit, false)
// Convert two-digit years into four-digit years. 99 becomes 1999, 15 becomes 2015.
if (year in 70..99) year += 1900
if (year in 0..69) year += 2000
// If any partial is omitted or out of range, return -1. The date is impossible. Note that leap
// seconds are not supported by this syntax.
require(year >= 1601)
require(month != -1)
require(dayOfMonth in 1..31)
require(hour in 0..23)
require(minute in 0..59)
require(second in 0..59)
GregorianCalendar(UTC).apply {
isLenient = false
set(Calendar.YEAR, year)
set(Calendar.MONTH, month - 1)
set(Calendar.DAY_OF_MONTH, dayOfMonth)
set(Calendar.HOUR_OF_DAY, hour)
set(Calendar.MINUTE, minute)
set(Calendar.SECOND, second)
set(Calendar.MILLISECOND, 0)
return timeInMillis
* Returns the index of the next date character in `input`, or if `invert` the index
* of the next non-date character in `input`.
private fun dateCharacterOffset(input: String, pos: Int, limit: Int, invert: Boolean): Int {
for (i in pos until limit) {
val c = input[i].toInt()
val dateCharacter = (c < ' '.toInt() && c != '\t'.toInt() || c >= '\u007f'.toInt() ||
c in '0'.toInt()..'9'.toInt() ||
c in 'a'.toInt()..'z'.toInt() ||
c in 'A'.toInt()..'Z'.toInt() ||
c == ':'.toInt())
if (dateCharacter == !invert) return i
return limit
* Returns the positive value if [s] is positive, or [Long.MIN_VALUE] if it is either 0 or
* negative. If the value is positive but out of range, this returns [Long.MAX_VALUE].
* @throws NumberFormatException if [s] is not an integer of any precision.
private fun parseMaxAge(s: String): Long {
try {
val parsed = s.toLong()
return if (parsed <= 0L) Long.MIN_VALUE else parsed
} catch (e: NumberFormatException) {
// Check if the value is an integer (positive or negative) that's too big for a long.
if (s.matches("-?\\d+".toRegex())) {
return if (s.startsWith("-")) Long.MIN_VALUE else Long.MAX_VALUE
throw e
* Returns a domain string like `example.com` for an input domain like `EXAMPLE.COM`
* or `.example.com`.
private fun parseDomain(s: String): String {
return s.removePrefix(".").toCanonicalHost() ?: throw IllegalArgumentException()
/** Returns all of the cookies from a set of HTTP response headers. */
fun parseAll(url: HttpUrl, headers: Headers): List {
val cookieStrings = headers.values("Set-Cookie")
var cookies: MutableList? = null
for (i in 0 until cookieStrings.size) {
val cookie = parse(url, cookieStrings[i]) ?: continue
if (cookies == null) cookies = mutableListOf()
return if (cookies != null) {
} else {
© 2015 - 2025 Weber Informatics LLC | Privacy Policy