A documented feature of the BlackBerry Enterprise Server (BES)
is the ability to have the BES handle cookies on behalf of
client applications. In other words, any Set-Cookie
headers sent back in HTTP responses can be intercepted by
the BES (which is acting as a web proxy server) and stripped
out of the response sent back down to the client. The cookie
is then automatically inserted into subsequent requests by
the client app when its request passes through the BES
(again, in its capacity as a proxy server).
A Bad Feature
In my opinion, this cookie handling feature is not
a feature but a bug. The basic problem is this: if a session
cookie is used, there's no way for the application to signal
the BES that the "session" is finished. The normal behavior
is for the client to clear session cookies when the session
terminates. In a browser, this usually means when the browser
is exited. In a J2ME application, the application simply
stops sending the cookie in subsequent requests.
But since the BES is handling the cookies for you,
when exactly does the "session" end? It doesn't! So
what happens is that you get a stale cookie being appended
to your app's requests. If the server on the other end
doesn't like it, too bad.
The Best Solution
The best solution? Turn off the BES-level cookie
handling and let the application do the cookie handling
by itself. All you do is set this property in
the configuration file:
application.handler.http.CookieSupport = false
You can also set it directly from the BES management
A Back Door
If for whatever reason you can't disable BES cookie
handling (such as when your IT department won't let
you change the BES settings) then there's a back door
that works with more recent devices. This back door
lets you override the cookie handling on a connection
basis. It's what RIM's own browser uses.
All you do is this: when your application makes
its HTTP request, set the "Accept" header to
the following string:
This is easily done using the HttpConnection.setRequestProperty
method, of course. When the BES sees this, it thinks that the browser
is making the request and it lets the Set-Cookie header pass
through unscathed down to the application and doesn't append
any Cookie headers on the request.
Truly a hack, but a hack that works.