Cookie standard rfc6265 introduction to HTTP protocol

Source: Internet
Author: User
Tags rfc

Cookie is a very important technology in modern web system development. Recently, I learned about the cookie standard rfc6265 and selected some content from it.

1. Main Functions of cookies

Because the HTTP protocol is stateless, the web server cannot distinguish whether requests sent by a browser come from the same browser. Therefore, additional data is required for session maintenance. Cookie is such an additional piece of data that is transmitted along with the HTTP request.

2. Main Functions of cookies

In addition to the name and value attributes, there are also the following optional attributes (these attribute names are case-insensitive and must be processed if the browser is set ), control the cookie lifecycle, visibility, and security.

2.1) expires: absolute expiration time

If the value of this attribute cannot be converted to a date, the client ignores this attribute. When the expires values of the two requests of the same cookie are differentPossibleWill replace the old one.
If the attribute-value failed to parse as a cookie date, ignore the cookie-Av.
If the expiry-time is later than the last date the user agent can represent, the user agent may replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent may replace the expiry-time with the earliest representable date

2.2) max-age: relative expiration time, in seconds. If the value of this attribute is not a number, the client will not process it.

If the first character of the attribute-value is not a digit or a "-" character, ignore the cookie-Av.
If the remainder of Attribute-value contains a non-digit character, ignore the cookie-Av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. otherwise, let the expiry-time be the current date and time plus Delta-seconds.

The max-age and expires attributes control the cookie lifecycle.IfBoth are set. Use max-age.By default, cookies exist temporarily, and their stored values only exist during browser sessions. When the browser is launched, these values will be lost.
If a cookie has neither the max-age nor the expires attribute, the user agent will retain the cookie until "the current session is over" (as defined by the user agent ).

2.3) path: Specifies the webpage associated with the cookie. By default, cookie is associated with the webpage that is created, the webpage that is in the same directory as the webpage, And the webpage in the subdirectory of this directory. At the same time, this attribute cannot be used to determine security.

The scope of each cookie is limited to a set of paths, controlled by the path attribute. if the server omits the path attribute, the user agent will use the "directory" of the request-Uri's path component as the default value.
The user agent will include the cookie in an HTTP requestOnly ifThe path portion of the request-Uri matches (or is a subdirectory of) the Cookie's path attribute, where the % x2f ("/") character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,The path attribute cannot be relied upon for security

2.4) domain: If the Domain value of the cookie is not set, the default value of this attribute is the host name of the server on which the cookie is created.

If the server omits the domain attribute, the user agent will return the cookie only to the origin server. HoweverYou cannot set the domain of a cookie to a domain other than the domain of the server. 
The user agent willReject cookiesUnless the domain attribute specifies a scope for the cookie that wocould include the origin server. for example, the user agent will accept a cookie with a domain attribute of "" or of "" from, but the user agent will not accept a cookie with a domain attribute of "" or of " ". note: For security reasons, your user agents are configured to reject domain attributes that correspond to "Public suffixes ". for example, some user agents will reject domain attributes of "com" or "Co. UK ".
When a user agent has es a set-Cookie header field in an HTTP response, the user agent may ignore the set-Cookie header field in its entirety. for example, the user agent might wish to block responses to "third-party" requests from setting cookies.

2.5) Secure: It specifies how the cookie value is transmitted on the network. By default, cookies are insecure, that is, they are transmitted through a common, insecure HTTP link. However, if the cookie is marked as secure, it will be transmitted only in the browser and server over https or other secure protocol links. This attribute can only ensure that cookies are kept confidential. .

The secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent ). when a cookie has the secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)

2.6) HTTPOnly: after it is set to true, it can only be accessed through HTTP. The key value set to HTTPOnly cannot be obtained through document. Cookie to prevent XSS from reading cookies.

The HTTPOnly attribute and secure attributes are independent. You can set both attributes in a cookie.
The HTTPOnly attribute limits the scope of the cookie to HTTP requests. in particle, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-http" APIs (such as a web browser API that exposes cookies to scripts ). note that the HTTPOnly attribute is independent of the secure attribute: a cookie can have both the HTTPOnly and the secure attribute.

2.7) Other cookie attributes

User agents ignore unrecognized cookie attributes (but not the entire cookie ).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value shocould encode that data, for example, using base64 [rfc4648].
To maximize compatibility with user agents, servers shoshould not produce two attributes with the same name in the same set-cookie-string.
If the user agent has es a new cookie with the same cookie-name, domain-value, and Path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. notice that servers can delete cookies by sending the user agent A new cookie with an Expires attribute with a value in the past.

3. Where to set the cookie value

The cookie value is usually set on the server side, but it can also be set on the client side through Js. In addition
3.1) HTTP requests with the encoding method (httpclient package in Java) can directly add cookies to the Request Header;
3.2) iOS's uiwebview can construct a reqeust with Cookie in loadrequest;
3.3) Android webview can use cookiemanager to set cookies;

4. How to transmit cookies and rules 4.1 server-Client

Through the HTTP Response Header, all the cookies set by the server are sent to the client,The sent content is the name and value of the cookie and all the attributes that have been set.

4.2other cookie attributes

The browser does notSend all cookies it receives, It will check the domain name and directory to be requested, as long as these two items match the domain and path corresponding to the cookie, will be sent. Domain is based on the tail matching principle.Only name and value are sent, and other attributes are not sent.
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-Name and cookie-value the user agent has ed in the Set-Cookie header.
Notice that the cookie attributes are not returned.
Therefore, when the client sends two cookies with the same name, the server cannot distinguish the two cookies.
Although cookies are serialized linearly in the cookie header, servers shoshould not rely upon the serialization order. in particle, if the cookie header contains two cookies with the same name (e.g ., that were set with different path or domain attributes), servers shoshould not rely upon the order in which these cookies appear in the header.

5. Can cookies be intercepted?

There are two methods to intercept others' cookies,
5.1). Attackers can exploit XSS to obtain others' cookies.
5.2.) try to obtain the cookie files stored on others' computers (this is difficult)

6. Can cookie be modified illegally?

You can use some plug-ins (such as edit this cookie) or other technical means to modify the cookie. The secure attribute also has its own limitations.
Although seemingly useful for protecting cookies from active network attackers, the secure attribute protects only the Cookie's confidentiality. An active network attacker can overwrite secure cookies from an insecure channel, disrupting their integrity

    • Http://
    • Http://
    • Http://
Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.