Response.Cookies Collection

The Cookies collection sets the value of a cookie. If the specified cookie does not exist, it is created. If the cookie exists, it takes the new value, and the old value is discarded.

Cookies should never be used to store secure data, such as passwords. Cookies are transmitted as clear text. If a malicious user taps an Internet connection, then they can take cookie data to impersonate a client and gain access to their data. If you must transmit sensitive data, do so on a Secure Sockets Layer (SSL) connection. For more information on SSL, see "Secure Sockets Layer" in IIS Help, which is accessible from IIS Manager.


Response.Cookies( cookie )[(key)| **.**attribute] **=**value


  • cookie
    The name of the cookie.

  • key
    An optional parameter. If key is specified, Cookie is a dictionary, and key is set to value.

  • attribute
    Specifies information about the Cookie itself. The attribute parameter can be one of the following.




    Write-only. If specified, the Cookie is sent only to requests to this domain.


    Write-only. The date on which the Cookie expires. This date must be set in order for the Cookie to be stored on the client's disk after the session ends. If this attribute is not set to a date beyond the current date, the Cookie expires when the session ends.


    Read-only. Specifies whether the cookie contains keys.


    Write-only. If specified, the Cookie is sent only to requests to this path. If this attribute is not set, the application path is used.


    Write-only. Specifies whether the Cookie is secure.

  • Value
    Specifies the value to assign to key or attribute.

Applies To

Response Object


If a Cookie with a key is created, as shown in the following script,

Response.Cookies("mycookie")("type1") = "sugar"
Response.Cookies("mycookie")("type2") = "ginger snap"

The following header is sent:


A subsequent assignment to myCookie without specifying a key would destroy the type1 and type2 keys, as shown in the following example:

<% Response.Cookies("myCookie") = "chocolate chip" %>

In the preceding example, the type1 and type2 keys are destroyed and their values are discarded. The myCookie cookie now has the value chocolate chip.

Conversely, if you use a Cookie with a key, it destroys any nonkey values that the Cookie contained. For example, if after the preceding code you call Response.Cookies with the following:

<% Response.Cookies("myCookie")("newType") = "peanut butter" %>

The value chocolate chip is discarded and newType would be set to peanut butter.

To determine whether a cookie has keys, use the following syntax:

<%= Response.Cookies("myCookie").HasKeys %>

If myCookie is a cookie dictionary, the preceding value is TRUE. Otherwise, it is FALSE.

You can use an iterator to set cookie attributes. For example, to set all of the cookies to expire on a particular date, use the following syntax:

For Each cookie in Response.Cookies
Response.Cookie(cookie).Expires = #July 4, 1997#

You can also iterate through the values of all the cookies in a collection, or all the keys in a cookie. However, if you try to iterate through the values for a cookie that does not have keys, nothing will be returned. To avoid this, you can first use the .HasKeys syntax to check whether a cookie has any keys, as shown in the following example.

If Not cookie.HasKeys Then
'Set the value of the cookie.
Response.Cookies(cookie) = ""
'Set the value for each key in the cookie collection.
For Each key in Response.Cookies(cookie)
Response.Cookies(cookie)(key) = ""

Example Code

The following examples demonstrate how you can set a value for a cookie and assign values to its attributes.


Do not store sensitive data, such as passwords or account numbers in cookies.

For more detailed information on security, see MS Press - Writing Secure Code.

Response.Cookies("Type") = "Chocolate Chip"
Response.Cookies("Type").Expires = "July 31, 2001"
Response.Cookies("Type").Path = "/"


Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.

Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.

Product: IIS

See Also