Tips on using cookies in javascript and setting privacy on the server

How to read a cookie string:

Copy codeThe Code is as follows:

alert(document.cookie); 

The cookie string of a website contains all the cookies under the website domain name (javascript accessible, excluding httponly cookies). Multiple cookies are separated by semicolons and a space, generally 20 or 50. For example, the string format containing 2 cookies is

Copy codeThe Code is as follows:

document.cookie = "key1=value1; key2=value2"

The maximum size of a cookie string is 4 kb. A null value is returned when the number or length limit is exceeded. When the number of cookies exceeds the limit, other cookies may be lost, the loss should be recent and least used, but the implementation of the browser does not fully follow this standard.

How to Set a cookie:

Copy codeThe Code is as follows:

document.cookie="key=value;expires=date;path=/;domain=xxx.com;secure";

To set multiple cookies, you only need to use document. cookie = XXX repeatedly. The cookie is automatically spliced with other cookies into a cookie string.

To read the value of a cookie, you can only parse the cookie string.

The following are the parameters used to set cookies:

1. Name and value: key is the cookie name, and value is the cookie value.

2. expiration time: expires is used to set the expiration time, which is in Greenwich Mean string format, as shown in

Copy codeThe Code is as follows:

expires = new Date('2011-12-30').toUTCString(); //"Fri, 30 Dec 2011 00:00:00 GMT"

If no expiration time is set, the cookie will expire when the browser is closed.

3. Path strength: the cookie set by the script on a webpage of the website can only be accessed by the webpage in the folder where the webpage is located and Its subfolders by default, for example, the cookie set by the http://www.jb51.net/aa/1.html can not be accessed by the http://www.jb51.net/bb/2.html, more times all want a cookie can be accessed by all the web pages of this site, this needs to set the path attribute, path =/indicates that the path of the cookie is the root directory of the website, so that all webpages on this site can be accessed.

4. Domain Name: the cookie cannot be accessed across domains. Generally, the cookie is only for this site. If you want to share it with multiple websites, therefore, websites that share cookies must have the same primary domain name, which is implemented by setting the domain attribute. For example, if you want to share cookies with Websites under the two second-level domain names www.jb51.net and bbs.jb51.net, you need to set domain = jb51.net

5. encrypted transmission: If a cookie has the secure attribute, the cookie will be transmitted using encrypted data when transmitted to the server.

Cookie string encoding:

The cookie string cannot contain special characters such as spaces, semicolons, and commas. If these symbols may be contained, you can use the encodeURIComponent () function to encode the cookie value, when reading the cookie value, use the decodeURIComponent () function to convert the value back, such as document. cookie = "key =" + encodeURIComponent (value );

Set the cookie on the server and declare its privacy (secure and httponly ):

Sometimes for security, you may need to restrict access to some cookies.

Secure: this cookie is only used for https secure connections.

Httponly: the cookie is only used during http transmission. javascript cannot access this cookie.

For example, use the built-in function setcookie () in PHP to set a cookie with privacy restrictions.

Setcookie ("UserIDCookie", "123456", time () + 60*30, '/', 'mytest. com ', false, true );

The sixth parameter indicates whether the https connection is used only, and the seventh parameter "true" indicates whether the https connection is httponly.

Cross-origin requests, third-party cookies, and P3P (privacy protection policy ):

Browser privacy settings (or content settings, chrome in advanced settings-content settings options), set to prohibit cross-origin requests (including iframe, img, javascript files, and other requests when using third-party cookies) unable to send cookie of this domain.

For example, when a cross-domain page http://www.jb51.net/index.html is referenced through iframe, even if a cookie named otherLoginFrag under the other.com domain is saved in the browser, otherLoginFrag is not sent to the server www.other.com along with the request.

Third-party cookie restrictions may be slightly different in different browsers. For example, when safari disables third-party cookies, the from form can only be submitted in post mode.

If you want to enable cross-origin request cookie sending when the browser disables a third-party cookie, you need to use the P3P response header in the Cross-origin server to declare the cookie that can be sent in advance.

Copy codeThe Code is as follows:

 //phpheader('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');setcookie("UserIDCookie","123456");