Request.Cookies Collection

The Cookies collection enables you to retrieve the values of the cookies sent in an HTTP request.

Cookies should never be used to store secure data, such as passwords. Cookies are transmitted as clear text. If a malicious user taps an Internet connection, then they can take cookie data to impersonate a client and gain access to their data. If you must transmit sensitive data, do so on a Secure Sockets Layer (SSL) connection. For more information on SSL, see "Secure Sockets Layer" in IIS Help, which is accessible from IIS Manager.

Cookies are contained in request headers. It is wise to not trust the data that is contained in headers, as this information can be falsified by malicious users. For example, do not rely on data such as cookies to securely identify a user.

Cookies are described in detail in the HTTP state management specification, which is available on the World Wide Web Consortium Web site.

As a security precaution, always encode header data or user input before using it. A general method of encoding data is to use Server.HTMLEncode. Alternatively, you can validate header data and user input with a short function such as the one described in Validating User Input to Avoid Attacks. For more detailed information about developing secure Web applications, see chapter 12 of MS Press - Writing Secure Code.


Request.Cookies( cookie )[(key)|**.**attribute]


  • cookie
    Specifies the cookie whose value should be retrieved.

  • key
    An optional parameter used to retrieve subkey values from cookie dictionaries.

  • attribute
    Specifies information about the cookie itself. The attribute parameter can be the following.




    Read-only. Specifies whether the cookie contains keys.

Applies To

Request Object


You can access the subkeys of a cookie dictionary by including a value for key. If a cookie dictionary is accessed without specifying key, all of the keys are returned as a single query string. For example, if MyCookie has two keys, First and Second, and you do not specify either of these keys in a call to Request.Cookies, the following string is returned.


If two cookies with the same name are sent by the client browser, Request.Cookies returns the one with the deeper path structure. For example, if two cookies had the same name but one had a path attribute of /Www/ and the other of /Www/Home/, the client browser would send both cookies to the /Www/Home/ directory, but Request.Cookies would only return the second cookie.

To determine whether a cookie is a cookie dictionary (whether the cookie has keys), use the following script.

<%= Request.Cookies("myCookie").HasKeys %>

If MyCookie is a cookie dictionary, the preceding value evaluates to TRUE. Otherwise, it evaluates to FALSE.

You can iterate through all the cookies in the Cookie collection, or all the keys in a cookie. However, iterating through keys on a cookie that does not have keys will not produce any output. You can avoid this situation by first checking to see whether a cookie has keys by using the .HasKeys syntax, as shown in the following example:

For Each strKey In Request.Cookies
Response.Write strKey & " = " & Request.Cookies(strKey) & "<BR>"
If Request.Cookies(strKey).HasKeys Then
For Each strSubKey In Request.Cookies(strKey)
Response.Write "->" & strKey & "(" & strSubKey & ") = " & _
Request.Cookies(strKey)(strSubKey) & "<BR>"
End If

Example Code

The following example prints the value of MyCookie on a Web page.

Cookies are described in detail in the HTTP state management specification, which is available on the World Wide Web Consortium Web site.

Here is the value of the cookie named MyCookie:
<%= Request.Cookies("myCookie") %>


Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.

Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.

Product: IIS

See Also