cookie是现代web系统开发中非常重要的一个技术,最近对cookie标准RFC6265进行了了解,从中选取了部分内容。
因为HTTP协议是无状态的,对于一个浏览器发出的多次请求,WEB服务器无法区分是不是来源于同一个浏览器。所以,需要额外的数据用于维护会话。 Cookie 正是这样的一段随HTTP请求一起被传递的额外数据。
除了name、value这两个必备属性外,还有下面几个可选属性(这些属性名都是大小写不敏感的,并且只要设置了浏览器是必须处理的),分别控制cookie的生存周期、可见性、安全性。
如果这个属性的值不能被转换为日期,客户端会忽略该属性。当同一个cookie两次请求的expires值不相同时,新的 可能 会替换旧的。
If the attribute-value failed to parse as a cookie date, ignore the cookie-av.
If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent MAY replace the expiry-time with the earliest representable date
If the first character of the attribute-value is not a DIGIT or a '-' character, ignore the cookie-av.
If the remainder of attribute-value contains a non-DIGIT character, ignore the cookie-av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.
Max-age和expires这两个属性控制cookie生命周期。 如果两个都设置了,以Max-Age为准。 默认情况下,cookie是暂时存在的,他们存储的值只在浏览器会话期间存在。当浏览器推出后,这些值也就丢失了.
If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until 'the current session is over' (as defined by the user agent)。
The scope of each cookie is limited to a set of paths, controlled by the Path attribute. If the server omits the Path attribute, the user agent will use the 'directory' of the request-uri’s path component as the default value.
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ('/') character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,the Path attribute cannot be relied upon for security
If the server omits the Domain attribute, the user agent will return the cookie only to the origin server。但不能将一个cookie的域设置成服务器所在的域之外的域
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of 'example.com' or of 'foo.example.com' from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of 'bar.example.com' or of 'baz.foo.example.com'. NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to 'public suffixes'. For example, some user agents will reject Domain attributes of 'com' or 'co.uk'.
When a user agent receives a Set-Cookie header field in an HTTP response, the user agent MAY ignore the Set-Cookie header field in its entirety. For example, the user agent might wish to block responses to 'third-party' requests from setting cookies。
The Secure attribute limits the scope of the cookie to 'secure' channels (where 'secure' is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
httpOnly属性和secure是独立的,一个cookie可以同时设置这两个属性。
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via 'non-HTTP' APIs (such as a web browser API that exposes cookies to scripts). Note that the HttpOnly attribute is independent of the Secure attribute: a cookie can have both the HttpOnly and the Secure attribute.
User agents ignore unrecognized cookie attributes (but not the entire cookie).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value SHOULD encode that data, for example, using Base64 [RFC4648].
To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.
If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. Notice that servers can delete cookies by sending the user agent a new cookie with an Expires attribute with a value in the past.
通常cookie值是在服务端设置,但也可以通过js在客户端设置,另外
3.1)编码方式(Java中的httpclient包)的http请求可以直接在请求头上加入cookie;
3.2)iOS的UIWebview可以在loadRequest构造带cookie的reqeust;
3.3)Android的Webview可以通过CookieManager来设置cookie;
通过http的response头,会将服务端设置的所有的cookie都发送到客户端,发送的内容是cookie的name、value及已设置的全部属性
通过http的request头,浏览器也不是发送它所接收到的所有Cookie,它会检查当前要请求的域名以及目录, 只要这二项目与Cookie对应的Domain和Path匹配,才会发送。对于Domain则是按照尾部匹配的原则进行的。发送的内容只有name和value,其他的属性是不发送的。
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned.
因而当客户端发送两个同名的cookie时,服务端是无法区分这两个cookie的归属。
Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.
有两种方法可以截获他人的cookie,
5.1). 通过XSS脚步攻击, 获取他人的cookie
5.2.) 想办法获取别人电脑上保存的cookie文件(这个比较难)
可以通过一些插件(如edit this cookie)或者其他技术手段进行修改。Secure属性也有其局限性。
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity
新闻热点
疑难解答