Java EE: Second, graphic Cookie (cookies)

Source: Internet
Author: User


Java EE: First, illustrated HTTP protocol

Java EE: Second, graphic Cookie (cookies)

Java EE: Three, graphical session (sessions)


I. Overview

Second, detailed introduction of the cookie transmission process

Third, talk about the role of cookies to XSS (cross-site scripting attacks)

Iv. Summary


I. Overview

First, from HTTP, is the cookie part of the HTTP protocol?

What is a cookie?

Self-answer: A cookie is a field in the Request header field and the Response header field. Simply put, it is the text of a set of key-value pairs accompanying the request and Response , small text. So called "cookie" cookies. The life of the cookie comes from the server. First, the client requests the service side, at which time the request is the first, no cookie parameters. At this time, the server Setcookie sent to the client. Remember that thecookie originates from the server .

What is the use of cookies?

Ask yourself a question: The cookie originates from the server and, of course, serves the customer. Just like you and me, the words are passed between us. So the cookie is used for the server and client sessions . Because the HTTP protocol is stateless , a cookie is a maintenance session, which is plainly the extra medium for passing data.

Below we visit Baidu address.

① generated on the server side of the Response, in the response header field :

The ② request header field is this: (Can be found on the Cookie tab, and the response has the same)

The following Masons detail their cookie in the request and response transfer process.

Second, detailed introduction of the cookie transmission process

Directly, explained in detail. By the way, write a cookieservlet that simulates the life of a cookie. The code is as follows:

1234567891011121314151617181920212223242526272829303132333435363738 package org.bysocket.http;import;import;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;@WebServlet(urlPatterns="/cookie")public class CookieServletT extends HttpServlet{    private static final long serialVersionUID = 1L;    @Override    protected void doGet(HttpServletRequest req, HttpServletResponse resp)            throws ServletException, IOException    {        // 获取Cookie        Cookie[] cookies = req.getCookies();        for (Cookie cookie : cookies)            System.out.println(cookie.getName() + " " + cookie.getValue());        // 创建Cookie        Cookie cookie = new Cookie("CookieName", "CookieValue");        cookie.setMaxAge(10);        cookie.setHttpOnly(true);        resp.addCookie(cookie);                // 响应        PrintWriter pw = resp.getWriter();        pw.print("<html><body><h1>Hello,Cookie!</h1></body></html>");    }    }

① Client access, no cookie written by the server.

Code new Cookie ("CookieName", "Cookievalue"); You can see that the server generates a new key value to the cookie, and sets the request header domain cookie to indicate that the first request is not available . There is no Cookiename=cookievalue cookie value below.

② cookies from the server are sent to the browser.

Httpservletresponse.addcookie (cookie) in the code; This response joins the cookie that was just that key-value pair. How to upload to the browser (client)? Under the same F12,

Can be obtained, the cookie is sent to the browser via HTTP response header field. The set of each cookie has a header corresponding to the Set-cookie. There is also time to represent the cookie's survival time, httponly but this cookie is read-only mode.

③ Browser parses the cookie and saves it to the browser file.

You can open Internet options for IE directly:

, the location file is where our cookie is stored. Now that he is there, the Mason will find it.

Open it up and the content is: cookie information and URL information and some about time.

123456789 CookieNameCookieValuelocalhost/servletBYSocket/9728 3416923392 30449698 3325104969 30449698 *

This completely understands how the cookie is written to the browser.

④ Client Access, there is a cookie written by the server.

In this way, the same URL is accessed again when F12:

Not much explanation, look at the picture.

⑤ Server Get

What about the service side? As long as the simple getcookies () can get a list of cookies. , the server console is printed as follows:

Mason Memory Cheat SHEET: Cookie Transmission Summary

① Client access, no cookie written by the server

Cookie written to browser on ② server

③ Browser parsing cookies, saving to browser files

④ Client access, cookies written by the server

⑤ Server Get

Third, talk about the role of cookies to XSS (cross-site scripting attacks)

Cookies are not as dangerous as viruses, but contain sensitive information. For example, the most common remember passwords, or some users often browse the page data.

users do not want these leaks, or even be attacked. But in fact there is this attack, how to attack it? I also detail and propose a solution in the article on cross-scripting attacks on XSS .

Full Name: Cross site script, Chinese name: Multi-site Scripting attack. As the name implies, it means "HTML injection" to modify the Web page, insert malicious script, so that when users browse the Web page, control the user browser an attack. The routine of a general attack:

Iv. Summary

Recalling the full text, cookies are a conversational mechanism in the HTTP protocol. And I understand the following two questions.

1. What is a cookie?

2. How do cookies work?


1 Java EE to understand the small things: two, graphic cookies (cookie)

Java EE: Second, graphic Cookie (cookies)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.