cookie是現(xiàn)代web系統(tǒng)開(kāi)發(fā)中非常重要的一個(gè)技術(shù),最近對(duì)cookie標(biāo)準(zhǔn)RFC6265進(jìn)行了了解���,從中選取了部分內(nèi)容����。
1.cookie的主要作用
因?yàn)镠TTP協(xié)議是無(wú)狀態(tài)的���,對(duì)于一個(gè)瀏覽器發(fā)出的多次請(qǐng)求,WEB服務(wù)器無(wú)法區(qū)分是不是來(lái)源于同一個(gè)瀏覽器���。所以�,需要額外的數(shù)據(jù)用于維護(hù)會(huì)話(huà)��。 Cookie 正是這樣的一段隨HTTP請(qǐng)求一起被傳遞的額外數(shù)據(jù)�。
2.cookie的主要作用
除了name���、value這兩個(gè)必備屬性外����,還有下面幾個(gè)可選屬性(這些屬性名都是大小寫(xiě)不敏感的,并且只要設(shè)置了瀏覽器是必須處理的),分別控制cookie的生存周期����、可見(jiàn)性���、安全性����。
2.1) expires:絕對(duì)過(guò)期時(shí)間
如果這個(gè)屬性的值不能被轉(zhuǎn)換為日期,客戶(hù)端會(huì)忽略該屬性�。當(dāng)同一個(gè)cookie兩次請(qǐng)求的expires值不相同時(shí)�����,新的 可能 會(huì)替換舊的�。
If the attribute-value failed to parse as a cookie date, ignore the cookie-av.
If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent MAY replace the expiry-time with the earliest representable date
2.2)Max-Age:相對(duì)過(guò)期時(shí)間,以秒為單位���。如果該屬性的值不是數(shù)字,客戶(hù)端將不做處理��。
If the first character of the attribute-value is not a DIGIT or a '-' character, ignore the cookie-av.
If the remainder of attribute-value contains a non-DIGIT character, ignore the cookie-av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.
Max-age和expires這兩個(gè)屬性控制cookie生命周期����。 如果兩個(gè)都設(shè)置了�����,以Max-Age為準(zhǔn)���。 默認(rèn)情況下�����,cookie是暫時(shí)存在的���,他們存儲(chǔ)的值只在瀏覽器會(huì)話(huà)期間存在。當(dāng)瀏覽器推出后��,這些值也就丟失了.
If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until 'the current session is over' (as defined by the user agent)����。
2.3)path:指定了與cookie關(guān)聯(lián)在一起的網(wǎng)頁(yè)�,默認(rèn)情況下,cookie會(huì)和創(chuàng)建它的網(wǎng)頁(yè)以及與這個(gè)網(wǎng)頁(yè)處于同一個(gè)目錄下的網(wǎng)頁(yè)和處于該目錄的子目錄下的網(wǎng)頁(yè)關(guān)聯(lián)��,同時(shí)不能用這個(gè)屬性來(lái)確定安全性
The scope of each cookie is limited to a set of paths, controlled by the Path attribute. If the server omits the Path attribute, the user agent will use the 'directory' of the request-uri’s path component as the default value.
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ('/') character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,the Path attribute cannot be relied upon for security
2.4)domain:如果沒(méi)有設(shè)置cookie的domain值���,該屬性的默認(rèn)值就是創(chuàng)建cookie的網(wǎng)頁(yè)所在的服務(wù)器的主機(jī)名
If the server omits the Domain attribute, the user agent will return the cookie only to the origin server����。但不能將一個(gè)cookie的域設(shè)置成服務(wù)器所在的域之外的域
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of 'example.com' or of 'foo.example.com' from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of 'bar.example.com' or of 'baz.foo.example.com'. NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to 'public suffixes'. For example, some user agents will reject Domain attributes of 'com' or 'co.uk'.
When a user agent receives a Set-Cookie header field in an HTTP response, the user agent MAY ignore the Set-Cookie header field in its entirety. For example, the user agent might wish to block responses to 'third-party' requests from setting cookies�。
2.5)secure:它指定了在網(wǎng)絡(luò)上如何傳輸cookie值。默認(rèn)情況下���,cookie是不安全的��,也就是說(shuō)��,他們是通過(guò)一個(gè)普通的�、不安全的http鏈接傳輸?shù)?。但是如果將cookie標(biāo)記為安全的,那么它將只在瀏覽器和服務(wù)器通過(guò)https或其他安全協(xié)議鏈接是才被傳輸�����。這個(gè)屬性只能保證cookie是保密的��。
The Secure attribute limits the scope of the cookie to 'secure' channels (where 'secure' is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
2.6)HttpOnly:設(shè)為true后,只能通過(guò)http訪(fǎng)問(wèn)����,不能通過(guò)documents.cookie獲取設(shè)定為httponly的鍵值,防止xss讀取cookie�。
httpOnly屬性和secure是獨(dú)立的���,一個(gè)cookie可以同時(shí)設(shè)置這兩個(gè)屬性。
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via 'non-HTTP' APIs (such as a web browser API that exposes cookies to scripts). Note that the HttpOnly attribute is independent of the Secure attribute: a cookie can have both the HttpOnly and the Secure attribute.
2.7)cookie屬性其他相關(guān)內(nèi)容
User agents ignore unrecognized cookie attributes (but not the entire cookie).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value SHOULD encode that data, for example, using Base64 [RFC4648].
To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.
If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. Notice that servers can delete cookies by sending the user agent a new cookie with an Expires attribute with a value in the past.
3.cookie值在何處設(shè)置
通常cookie值是在服務(wù)端設(shè)置�,但也可以通過(guò)js在客戶(hù)端設(shè)置���,另外
3.1)編碼方式(Java中的httpclient包)的http請(qǐng)求可以直接在請(qǐng)求頭上加入cookie�����;
3.2)iOS的UIWebview可以在loadRequest構(gòu)造帶cookie的reqeust;
3.3)Android的Webview可以通過(guò)CookieManager來(lái)設(shè)置cookie�����;
4.cookie如何傳輸及規(guī)則
4.1服務(wù)端—》客戶(hù)端
通過(guò)http的response頭����,會(huì)將服務(wù)端設(shè)置的所有的cookie都發(fā)送到客戶(hù)端,發(fā)送的內(nèi)容是cookie的name��、value及已設(shè)置的全部屬性
4.2cookie屬性其他相關(guān)內(nèi)容
通過(guò)http的request頭�����,瀏覽器也不是發(fā)送它所接收到的所有Cookie����,它會(huì)檢查當(dāng)前要請(qǐng)求的域名以及目錄���, 只要這二項(xiàng)目與Cookie對(duì)應(yīng)的Domain和Path匹配�����,才會(huì)發(fā)送�。對(duì)于Domain則是按照尾部匹配的原則進(jìn)行的�。發(fā)送的內(nèi)容只有name和value�,其他的屬性是不發(fā)送的。
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned.
因而當(dāng)客戶(hù)端發(fā)送兩個(gè)同名的cookie時(shí)�,服務(wù)端是無(wú)法區(qū)分這兩個(gè)cookie的歸屬。
Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.
5.cookie是否可以被截獲
有兩種方法可以截獲他人的cookie�,
5.1). 通過(guò)XSS腳步攻擊��, 獲取他人的cookie
5.2.) 想辦法獲取別人電腦上保存的cookie文件(這個(gè)比較難)
6.cookie是否可以被非法修改
可以通過(guò)一些插件(如edit this cookie)或者其他技術(shù)手段進(jìn)行修改���。Secure屬性也有其局限性�。
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity
