Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Java

Anthony Leo
Anthony Leo
18,377 Points

What is the difference between a request attribute and a cookie?

Specifically, why did we implement this code in Spark?

    before((req, res) -> {
        if (req.cookie("username") != null) {
            req.attribute("username", req.cookie("username"));
        }
    });

When I look at the http header I still see "Cookie:username=user"

I guess I was expecting a new header called "Attributes" or sometime along those lines...

If someone could elaborate why we made this change, it would be greatly appreciated!

Thanks!

Daniel Vigil
Daniel Vigil
26,473 Points

Here, this code looks like it is looking at the cookies and seeing if there is any value for username listed in the cookie. If there is (not null), then it sets the request attribute of username to the cookie value.

1 Answer

Alexander Nikiforov
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Alexander Nikiforov
Java Web Development Techdegree Graduate 22,161 Points

First of all by adding the code:

    before((req, res) -> {
        if (req.cookie("username") != null) {
            req.attribute("username", req.cookie("username"));
        }
    });

He solves the TODO he wrote earlier:

TODO:this username is tied to cookie implementation

Why changing cookie to request is better.

Consider reading answer here at first:

http://stackoverflow.com/questions/911529/how-the-attribute-field-of-a-httpservletrequest-maps-to-a-raw-http-request

You can see from the answer there, that you cannot see request.attribute in HTTP request from browser, by the reasons explained in the answer above:

Quote:

attributes are not present in any way in the HTTP request as it travels over the wire. They are created (by your code) when processing the request.

The cookie is seen to anyone and can be used by hackers, but request attribute is NOT, that is why Craig put that TODO, because ultimately he wants to use request.attribute because it is safer and better....

Do you see where it goes?

Cookie can be attached up to forever to selected pages and will be there seen to anyone from browser.

request.attribute will be seen only on server side and only to you, that is why it is safer ...

All I can get with my knowledge, hope it makes sense ...

Anthony Leo
Anthony Leo
18,377 Points

I think I kind of understand the difference now. Your response was very helpful. Thank you!