Java EE to understand the small things: two, graphic cookies (cookie)

Writer:bysocket (mud and brick pulp carpenter)

Micro-Blog: Bysocket

Watercress: Bysocket

FaceBook: Bysocket

Twitter: Bysocket

Previous Article schematic HTTP protocol , this time continue the HTTP family of cookies. Mason recently saw a good article in the blog Park,

This is because the browser cookie is too large, causing the request to fail when the request header domain is too large. Let's learn about cookies below. According to the previous ideas and illustrations ha, not illustrated a xx.

I. Overview

First, from HTTP, is the cookie part of the HTTP protocol?

What is a cookie?

Self-answer: A cookie is a field in the Request header field and the Response header field. Simply put, it is the text of a set of key-value pairs accompanying the request and Response , small text. So called "cookie" cookies. The life of the cookie comes from the server. First, the client requests the service side, at which time the request is the first, no cookie parameters. At this time, the server Setcookie sent to the client. Remember that thecookie originates from the server .

What is the use of cookies?

Ask yourself a question: The cookie originates from the server and, of course, serves the customer. Just like you and me, the words are passed between us. So the cookie is used for the server and client sessions . Because the HTTP protocol is stateless , a cookie is a maintenance session, which is plainly the extra medium for passing data.

Below we visit Baidu address.

① generated on the server side of the Response, in the response header field :

The ② request header field is this: (Can be found on the Cookie tab, and the response has the same)

The following Masons detail their cookie in the request and response transfer process.

Second, detailed introduction of the cookie transmission process

Directly, explained in detail. By the way, write a cookieservlet that simulates the life of a cookie. The code is as follows:

?

1234567891011121314151617181920212223242526272829303132333435363738

package org.bysocket.http;import java.io.IOException;import java.io.PrintWriter; import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;@WebServlet(urlPatterns="/cookie")public class CookieServletT extends HttpServlet{    private static final long serialVersionUID = 1L;    @Override    protected void doGet(HttpServletRequest req, HttpServletResponse resp)            throws ServletException, IOException    {        // 获取Cookie        Cookie[] cookies = req.getCookies();        for (Cookie cookie : cookies)            System.out.println(cookie.getName() + " " + cookie.getValue());        // 创建Cookie        Cookie cookie = new Cookie("CookieName", "CookieValue");        cookie.setMaxAge(10);        cookie.setHttpOnly(true);        resp.addCookie(cookie);                // 响应        PrintWriter pw = resp.getWriter();        pw.print("<html><body><h1>Hello,Cookie!</h1></body></html>");    }    }

① Client access, no cookie written by the server.

Code new Cookie ("CookieName", "Cookievalue"); You can see that the server generates a new key value to the cookie, and sets the request header domain cookie to indicate that the first request is not available . There is no Cookiename=cookievalue cookie value below.

② cookies from the server are sent to the browser.

Httpservletresponse.addcookie (cookie) in the code; This response joins the cookie that was just that key-value pair. How to upload to the browser (client)? Under the same F12,

Can be obtained, the cookie is sent to the browser via HTTP response header field. The set of each cookie has a header corresponding to the Set-cookie. There is also time to represent the cookie's survival time, httponly but this cookie is read-only mode.

③ Browser parses the cookie and saves it to the browser file.

You can open Internet options for IE directly:

, the location file is where our cookie is stored. Now that he is there, the Mason will find it.

Open it up and the content is: cookie information and URL information and some about time.

?

123456789

CookieNameCookieValuelocalhost/servletBYSocket/9728 3416923392 30449698 3325104969 30449698 *

This completely understands how the cookie is written to the browser.

④ Client Access, there is a cookie written by the server.

In this way, the same URL is accessed again when F12:

Not much explanation, look at the picture.

⑤ Server Get

What about the service side? As long as the simple getcookies () can get a list of cookies. , the server console is printed as follows:

Mason Memory Cheat SHEET: Cookie Transmission Summary

① Client access, no cookie written by the server

Cookie written to browser on ② server

③ Browser parsing cookies, saving to browser files

④ Client access, cookies written by the server

⑤ Server Get

Iv. talking about the role of cookies to XSS (cross-site scripting attacks)

Cookies are not as dangerous as viruses, but contain sensitive information. For example, the most common remember passwords, or some users often browse the page data.

users do not want these leaks, or even be attacked. But in fact there is this attack, how to attack it? I also detail and propose a solution in the article on cross-scripting attacks on XSS .

Full Name: Cross site script, Chinese name: Multi-site Scripting attack. As the name implies, it means "HTML injection" to modify the Web page, insert malicious script, so that when users browse the Web page, control the user browser an attack. The routine of a general attack:

V. Summary

Recalling the full text, cookies are a conversational mechanism in the HTTP protocol. And I understand the following two questions.

1. What is a cookie?

2. How do cookies work?

Writer:bysocket (mud and brick pulp carpenter)

Micro-Blog: Bysocket

Watercress: Bysocket

FaceBook: Bysocket

Twitter: Bysocket

Java EE to understand the small things: two, graphic cookies (cookie)