Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Java

Anthony Leo
Anthony Leo
18,377 Points
Posted by Anthony Leo
Anthony Leo
18,377 Points

What is the difference between a request attribute and a cookie?

Specifically, why did we implement this code in Spark?

    before((req, res) -> {
        if (req.cookie("username") != null) {
            req.attribute("username", req.cookie("username"));
        }
    });

When I look at the http header I still see "Cookie:username=user"

I guess I was expecting a new header called "Attributes" or sometime along those lines...

If someone could elaborate why we made this change, it would be greatly appreciated!

Thanks!

Daniel Vigil
Daniel Vigil
26,473 Points
Daniel Vigil
Daniel Vigil
26,473 Points

Here, this code looks like it is looking at the cookies and seeing if there is any value for username listed in the cookie. If there is (not null), then it sets the request attribute of username to the cookie value.

1 Answer

Alexander Nikiforov
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Alexander Nikiforov
Java Web Development Techdegree Graduate 22,175 Points
Alexander Nikiforov
.a{fill-rule:evenodd;}techdegree seal-36
Alexander Nikiforov
Java Web Development Techdegree Graduate 22,175 Points

First of all by adding the code:

    before((req, res) -> {
        if (req.cookie("username") != null) {
            req.attribute("username", req.cookie("username"));
        }
    });

He solves the TODO he wrote earlier:

TODO:this username is tied to cookie implementation

Why changing cookie to request is better.

Consider reading answer here at first:

http://stackoverflow.com/questions/911529/how-the-attribute-field-of-a-httpservletrequest-maps-to-a-raw-http-request

You can see from the answer there, that you cannot see request.attribute in HTTP request from browser, by the reasons explained in the answer above:

Quote:

attributes are not present in any way in the HTTP request as it travels over the wire. They are created (by your code) when processing the request.

The cookie is seen to anyone and can be used by hackers, but request attribute is NOT, that is why Craig put that TODO, because ultimately he wants to use request.attribute because it is safer and better....

Do you see where it goes?

Cookie can be attached up to forever to selected pages and will be there seen to anyone from browser.

request.attribute will be seen only on server side and only to you, that is why it is safer ...

All I can get with my knowledge, hope it makes sense ...

Anthony Leo
Anthony Leo
18,377 Points
Anthony Leo
Anthony Leo
18,377 Points

I think I kind of understand the difference now. Your response was very helpful. Thank you!