Cookie is a very important technology in modern web system development. Recently, I learned about the cookie standard rfc6265 and selected some content from it.1. Main Functions of cookies
Because the HTTP protocol is stateless, the web server cannot distinguish whether requests sent by a browser come from the same browser. Therefore, additional data is required for session maintenance. Cookie is such an additional piece of data that is transmitted along with the HTTP request.2. Main Functions of cookies
In addition to the name and value attributes, there are also the following optional attributes (these attribute names are case-insensitive and must be processed if the browser is set ), control the cookie lifecycle, visibility, and security.2.1) expires: absolute expiration time
If the value of this attribute cannot be converted to a date, the client ignores this attribute. When the expires values of the two requests of the same cookie are differentPossibleWill replace the old one.
If the attribute-value failed to parse as a cookie date, ignore the cookie-Av.
If the expiry-time is later than the last date the user agent can represent, the user agent may replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent may replace the expiry-time with the earliest representable date
If the first character of the attribute-value is not a digit or a "-" character, ignore the cookie-Av.
If the remainder of Attribute-value contains a non-digit character, ignore the cookie-Av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. otherwise, let the expiry-time be the current date and time plus Delta-seconds.
The max-age and expires attributes control the cookie lifecycle.IfBoth are set. Use max-age.By default, cookies exist temporarily, and their stored values only exist during browser sessions. When the browser is launched, these values will be lost.
If a cookie has neither the max-age nor the expires attribute, the user agent will retain the cookie until "the current session is over" (as defined by the user agent ).
The scope of each cookie is limited to a set of paths, controlled by the path attribute. if the server omits the path attribute, the user agent will use the "directory" of the request-Uri's path component as the default value.
The user agent will include the cookie in an HTTP requestOnly ifThe path portion of the request-Uri matches (or is a subdirectory of) the Cookie's path attribute, where the % x2f ("/") character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,The path attribute cannot be relied upon for security
If the server omits the domain attribute, the user agent will return the cookie only to the origin server. HoweverYou cannot set the domain of a cookie to a domain other than the domain of the server.
The user agent willReject cookiesUnless the domain attribute specifies a scope for the cookie that wocould include the origin server. for example, the user agent will accept a cookie with a domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a domain attribute of "bar.example.com" or of "baz.foo.example.com ". note: For security reasons, your user agents are configured to reject domain attributes that correspond to "Public suffixes ". for example, some user agents will reject domain attributes of "com" or "Co. UK ".
When a user agent has es a set-Cookie header field in an HTTP response, the user agent may ignore the set-Cookie header field in its entirety. for example, the user agent might wish to block responses to "third-party" requests from setting cookies.
The secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent ). when a cookie has the secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)2.6) HTTPOnly: after it is set to true, it can only be accessed through HTTP. The key value set to HTTPOnly cannot be obtained through document. Cookie to prevent XSS from reading cookies.
The HTTPOnly attribute and secure attributes are independent. You can set both attributes in a cookie.
The HTTPOnly attribute limits the scope of the cookie to HTTP requests. in particle, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-http" APIs (such as a web browser API that exposes cookies to scripts ). note that the HTTPOnly attribute is independent of the secure attribute: a cookie can have both the HTTPOnly and the secure attribute.
User agents ignore unrecognized cookie attributes (but not the entire cookie ).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value shocould encode that data, for example, using base64 [rfc4648].
To maximize compatibility with user agents, servers shoshould not produce two attributes with the same name in the same set-cookie-string.
If the user agent has es a new cookie with the same cookie-name, domain-value, and Path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. notice that servers can delete cookies by sending the user agent A new cookie with an Expires attribute with a value in the past.
The cookie value is usually set on the server side, but it can also be set on the client side through Js. In addition
3.1) HTTP requests with the encoding method (httpclient package in Java) can directly add cookies to the Request Header;
3.2) iOS's uiwebview can construct a reqeust with Cookie in loadrequest;
3.3) Android webview can use cookiemanager to set cookies;
Through the HTTP Response Header, all the cookies set by the server are sent to the client,The sent content is the name and value of the cookie and all the attributes that have been set.4.2other cookie attributes
The browser does notSend all cookies it receives, It will check the domain name and directory to be requested, as long as these two items match the domain and path corresponding to the cookie, will be sent. Domain is based on the tail matching principle.Only name and value are sent, and other attributes are not sent.
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-Name and cookie-value the user agent has ed in the Set-Cookie header.
Notice that the cookie attributes are not returned.
Therefore, when the client sends two cookies with the same name, the server cannot distinguish the two cookies.
Although cookies are serialized linearly in the cookie header, servers shoshould not rely upon the serialization order. in particle, if the cookie header contains two cookies with the same name (e.g ., that were set with different path or domain attributes), servers shoshould not rely upon the order in which these cookies appear in the header.
There are two methods to intercept others' cookies,
5.1). Attackers can exploit XSS to obtain others' cookies.
5.2.) try to obtain the cookie files stored on others' computers (this is difficult)
You can use some plug-ins (such as edit this cookie) or other technical means to modify the cookie. The secure attribute also has its own limitations.
Although seemingly useful for protecting cookies from active network attackers, the secure attribute protects only the Cookie's confidentiality. An active network attacker can overwrite secure cookies from an insecure channel, disrupting their integrity