For details about Cookie-related processing in the Python Django framework, pythondjango
Browser developers have long realized that the stateless HTTP's will bring a lot of problems to Web developers, So cookies came into being. Cookies are a small piece of information stored by browsers for Web servers. Each time a browser requests a page from a server, it sends the previously received cookies to the server.
Let's see how it works. When you open your browser and access google.com, your browser will send an HTTP request to Google. The starting part is like this:
GET / HTTP/1.1Host: google.com...
When Google responds, the HTTP response is as follows:
HTTP/1.1 200 OKContent-Type: text/htmlSet-Cookie: PREF=ID=5b14f22bdaf1e81c:TM=1167000671:LM=1167000671; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.comServer: GWS/2.1...
Note the header of the Set-Cookie. Your browser will store the cookie value (PREF = ID = 5b14f22bdaf1e81c: TM = 1167000671: LM = 1167000671), and the cookie value will be returned every time you visit the google site. Therefore, when you access Google next time, your browser will send a request like this:
GET / HTTP/1.1Host: google.comCookie: PREF=ID=5b14f22bdaf1e81c:TM=1167000671:LM=1167000671...
Therefore, the cookie value will tell Google that you are the person who visited the Google website earlier. This value may be the key that stores user information in the database. You can use it to display your user name on the page. Google will (and currently) use it to display the user name of your account on the webpage.
Access Cookies
Processing persistence in Django, most of the time you are more willing to use high-level sessions and/or the user framework to be discussed later. But before that, we need to stop at the bottom to see how to read and write cookies. This will help you understand how the tool will work later in this chapter, and it will be helpful if you need to operate cookies on your own.
It is extremely easy to read the configured cookies. Each ''httprequest ''object has a ''cookies'' object. The behavior of this object is similar to a dictionary. You can use it to read any browser and send it to the view) cookies.
def show_color(request): if "favorite_color" in request.COOKIES: return HttpResponse("Your favorite color is %s" % request.COOKIES["favorite_color"]) else: return HttpResponse("You don't have a favorite color.")
Writing cookies is a little complicated. You need to use the set_cookie () method of the HttpResponse object. Here is a GET parameter to set favorite_color.
Cookie example:
def set_color(request): if "favorite_color" in request.GET: # Create an HttpResponse object... response = HttpResponse("Your favorite color is now %s" % request.GET["favorite_color"]) # ... and set a cookie on the response response.set_cookie("favorite_color", request.GET["favorite_color"]) return response else: return HttpResponse("You didn't give a favorite color.")
You can pass some optional parameters to response. set_cookie () to control cookie behavior.
Cookies
You may have noticed the possible problems caused by cookies. Let's take a look at some of the important issues:
Cookie storage is voluntary, and a client does not have to accept or store cookies. In fact, all browsers allow users to control whether to accept cookies. If you want to know how important cookies are to Web applications, you can try to open this browser option:
Cookies are widely used but are considered unreliable. This means that before using cookies, developers must check whether users can receive cookies.
Cookies (especially those that are not transmitted over HTTPS) are extremely insecure. Because HTTP data is sent in plain text, it is particularly vulnerable to sniffing attacks. In other words, attackers can intercept and read cookies on the Internet. Therefore, you must avoid storing sensitive information in cookies. This means that you should not use cookies to store any sensitive information.
Another attack called "Man-in-the-middle" is more sinister. Attackers can intercept a cookie and use it for another user. Chapter 2 will discuss in depth the nature of such attacks and how to avoid them.
Even the cookie returned from the expected receiver is insecure. In most browsers, you can easily modify the information in cookies. Experienced users can even manually construct an HTTP request using tools such as mechanic (http://wwwsearch.sourceforge.net/mechanize.
Therefore, you cannot store sensitive data that may be tampered with in cookies. Store IsLoggedIn = 1 in cookies to identify that the user has logged on. The number of websites that make such mistakes is incredible; the security system that bypasses these websites is also easy.