HTTP protocol (vii)---cookies

HTTP protocol (vii) cookies

What is a cookie, what's the use of it, and why you use cookies

please look " Cookie" written by Fish Li

Classification of Cookies

can roughly put Cookies are divided into 2 categories: reply-to-cookie and persistent cookie

Session Cookie: A temporary cookie that records settings and preferences when a user visits a site, closes the browser, and the session cookie is deleted

Persistent Cookie: Stored on the hard disk (regardless of browser exit, or computer restart, persistent cookie exists), persistent cookie has expiration time

Where does the cookie exist

The cookie is present on the hard disk, ie the place where the cookie is stored is different from the place where Firefox stored the cookie. Different operating systems may not have the same place to store cookies.

different browsers will be stored in their own separate spaces. Cookies, non-interference

Take my windows7, IE8, for example, cookies exist this: C:\Users\xiaoj\AppData\Local\Microsoft\Windows\Temporary Internet Files

Note: cached files and cookie files are present together, both in this directory.

You can also find , open IE, click tools->internet options->general tab under the->browsing History of the setting button, In the popup dialog box, click View Files.

Different websites will have different cookie files

Use and disable Cookies

IE: Tools->internet options, privacy

Fiddler viewing cookies in HTTP

The browser sends the Cookie to the Web server via the "Cookie:header" in the HTTP Request

Web server sends cookies to browser via "Set-cookie:header" in HTTP response

Use Fiddler can clearly see that the cookie is passed in HTTP. The Fiddler tool provides a clear view of the cookie in the HTTP Request and the cookie in the HTTP response

Example: Start Fiddler, start the browser to visit some shopping sites, you can see.

The principle of automatic website landing

we use the "blog Park Automatic Landing" example to illustrate how cookies are delivered.

everyone knows that the blog park can be automatically landed. For example, what is this principle ?

If I have entered the login page user name, password, choose to save the password, login.

( at this time, actually on your machine to save the login cookie, do not believe you can follow the previous section of the method to go to your computer to find the blog Park cookie)

The next time I visit the blog Park process is as follows.

1. The user opens IE browser and enters www.cnblogs.com on the address bar.

2. IE will first find a cookie about cnblogs.com on the hard drive. Then put the cookie in the HTTP request and send the request to the Web server.

3. The Web server returns to the home page of the blog (you will see that you have landed).

Intercept A Cookie, impersonating someone else's identity

from the above example, it is important to see whether a cookie is a login user or a cookie.  If someone else's cookie is intercepted, can it be logged in as someone else? Of course, this is a hacker technique called cookie spoofing.

Use Cookie spoofing, do not need to know the user name password. You can log in directly and use someone else's account to do bad things.

I know there are two ways to intercept other people's cookies,

1. Get someone else's cookie through an XSS step attack. Specific principles can be seen [web security testing of XSS]

2. Find ways to get a cookie file saved on someone else's computer (this is difficult)

Once you've got the cookie, you can impersonate someone else's identity. I'm not going to show you this process.

The difference between a cookie and a file cache

Many people confuse cookies with file caches, and these two are completely different things. The only similarities may be that they both exist on the hard disk and are in the same folder.

about the HTTP caching See this "HTTP protocol Cache "

we are You can choose to delete cookies and cache files separately in IE

Cookie Disclosure Privacy

2013 CCTV's 315 party, exposed a lot of unscrupulous companies use cookies to track and collect the user's personal information, and resell to the network advertisers, formed a steal user information of the gray industry chain. In order to achieve accurate advertising delivery. Seriously interferes with the user's normal network application, violates the personal privacy and the interest.

I often found on the portal that the ads on my website were showing the traffic on the e-commerce site. This is where my cookie was leaked.

currently in Europe, have been to Cookie legislation, if the website needs to save the user's cookie, must pop up a dialog box, to be confirmed by the user before the cookie can be saved.

P3P protocol

from the above view,  A Cookie is something that is more likely to reveal user privacy and danger.    Is there a way to protect the privacy of individual users? That's P3P protocol

P3P is a standard known as the Personal Privacy Security Platform Project (the Platform for Privacy Preferences) that protects online privacy and allows Internet surfers to choose whether to be collected and used by third parties when browsing the Web. If a site does not comply with the P3P standard, then the cookie about it will be automatically rejected, and P3P can also automatically detect how many cookies are embedded. P3P was developed by the Global Information Alliance network.

HTTP protocol (vii)---cookies