HTTP protocol (vii) cookies

Source: Internet
Author: User

Cookies are very important things in the HTTP protocol, and I learned a lot by reading "cookie" written by Fish Li. This article of fish is too classic to write. So I don't have much content in this article.

Recently I'm going to write a series of HTTP articles that I stand in the HTTP protocol perspective and say my understanding of cookies.

Read Catalogue

    1. What is a cookie, what's the use of it, and why you use cookies
    2. Classification of Cookies
    3. Where does the cookie exist
    4. Use and disable cookies
    5. Fiddler viewing cookies in HTTP
    6. The principle of automatic website landing
    7. Intercept cookies, impersonate someone else's identity
    8. The difference between a cookie and a file cache
    9. Cookie Disclosure Privacy
    10. P3P protocol

What is a cookie, what's the use of it, and why you use cookies

Please look at the "cookie" written by Fish Li.

Classification of Cookies

You can roughly divide cookies into 2 categories: reply-to-cookie and persistent cookie

Session Cookie: A temporary cookie that records settings and preferences when a user visits a site, closes the browser, and the session cookie is deleted

Persistent cookie: Stored on the hard disk (regardless of browser exit, or computer restart, persistent cookie exists), persistent cookie has expiration time

Where does the cookie exist

The cookie is present on the hard disk, ie the place where the cookie is stored is different from the place where Firefox stored the cookie. Different operating systems may not have the same place to store cookies.

Different browsers store cookies in their own separate spaces and do not interfere with each other.

Take my Windows7, IE8, for example, cookies exist this: C:\Users\xiaoj\AppData\Local\Microsoft\Windows\Temporary Internet Files

Note: Cached files and cookie files are present together, both in this directory.

You can also find, open IE, click tools->internet options->general tab under the->browsing History of the setting button, Pop-up dialog box click on the view files.

Different websites will have different cookie files

Use and disable cookies

IE: Tools->internet options, privacy

Fiddler viewing cookies in HTTP

The browser sends the Cookie to the Web server via the "Cookie:header" in the HTTP Request

Web server sends cookies to browser via "Set-cookie:header" in HTTP response

Using Fiddler, you can clearly see that the cookie is passed in HTTP. The Fiddler tool provides a clear view of the cookie in the HTTP Request and the cookie in the HTTP response

Example: Start fiddler, launch a browser to visit some shopping sites, you can see.

The principle of automatic website landing

We use the "blog Park Automatic Landing" example to illustrate how cookies are delivered.

Everyone knows that the blog park can be automatically landed. For example, what is this principle?

If I have entered the login page user name, password, choose to save the password, login.

(At this time, actually on your machine to save the login cookie, do not believe you can follow the previous section of the method to go to your computer to find the blog Park cookie)

The next time I visit the blog Park process is as follows.

1. The user opens IE browser and enters on the address bar.

2. IE will first find a cookie about on the hard drive. Then put the cookie in the HTTP request and send the request to the Web server.

3. The Web server returns to the home page of the blog (you will see that you have landed).

Intercept cookies, impersonate someone else's identity

From the above example, it is important to see whether a cookie is a login user or a cookie.  If someone else's cookie is intercepted, can it be logged in as someone else? Of course, this is a hacker technique called cookie spoofing.

With cookie spoofing, you do not need to know the user name password. You can log in directly and use someone else's account to do bad things.

I know there are two ways to intercept other people's Cookies,

1. Get someone else's cookie through an XSS step attack. Specific principles can be seen [web security testing of XSS]

2. Find ways to get a cookie file saved on someone else's computer (this is difficult)

Once you've got the cookie, you can impersonate someone else's identity. I'm not going to show you this process.

The difference between a cookie and a file cache

Many people confuse cookies with file caches, and these two are completely different things. The only similarities may be that they both exist on the hard disk and are in the same folder.

For HTTP caching see this "HTTP protocol cache"

We can choose to delete cookies and cache files separately in IE.

Cookie Disclosure Privacy

2013 CCTV's 315 party, exposed a lot of unscrupulous companies use cookies to track and collect the user's personal information, and resell to the network advertisers, formed a steal user information of the gray industry chain. In order to achieve accurate advertising delivery. Seriously interferes with the user's normal network application, violates the personal privacy and the interest.

I often found on the portal that the ads on my website were showing the traffic on the e-commerce site. This is where my cookie was leaked.

Currently in Europe, cookie legislation has been enacted, and if the website needs to save the user's cookie, a dialog box must be popped up to be confirmed by the user before the cookie can be saved.

P3P protocol

From the above, cookies are a relatively easy to disclose user privacy and dangerous things.    Is there a way to protect the privacy of individual users? That's the P3P protocol.

P3P is a standard known as the Personal Privacy Security Platform Project (the Platform for Privacy Preferences) that protects online privacy and allows Internet surfers to choose whether to be collected and used by third parties when browsing the Web. If a site does not comply with the P3P standard, then the cookie about it will be automatically rejected, and P3P can also automatically detect how many cookies are embedded. P3P was developed by the Global Information Alliance network.

HTTP protocol (vii) cookies

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.