cookie是現代web系統開發中非常重要的一個技術,最近對cookie標準RFC6265進行了了解,從中選取了部分內容。
因為HTTP協議是無狀態的,對于一個瀏覽器發出的多次請求,WEB服務器無法區分是不是來源于同一個瀏覽器。所以,需要額外的數據用于維護會話。 Cookie 正是這樣的一段隨HTTP請求一起被傳遞的額外數據。
除了name、value這兩個必備屬性外,還有下面幾個可選屬性(這些屬性名都是大小寫不敏感的,并且只要設置了瀏覽器是必須處理的),分別控制cookie的生存周期、可見性、安全性。
如果這個屬性的值不能被轉換為日期,客戶端會忽略該屬性。當同一個cookie兩次請求的expires值不相同時,新的 可能 會替換舊的。
If the attribute-value failed to parse as a cookie date, ignore the cookie-av.
If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent MAY replace the expiry-time with the earliest representable date
If the first character of the attribute-value is not a DIGIT or a '-' character, ignore the cookie-av.
If the remainder of attribute-value contains a non-DIGIT character, ignore the cookie-av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.
Max-age和expires這兩個屬性控制cookie生命周期。 如果兩個都設置了,以Max-Age為準。 默認情況下,cookie是暫時存在的,他們存儲的值只在瀏覽器會話期間存在。當瀏覽器推出后,這些值也就丟失了.
If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until 'the current session is over' (as defined by the user agent)。
The scope of each cookie is limited to a set of paths, controlled by the Path attribute. If the server omits the Path attribute, the user agent will use the 'directory' of the request-uri’s path component as the default value.
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ('/') character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,the Path attribute cannot be relied upon for security
If the server omits the Domain attribute, the user agent will return the cookie only to the origin server。但不能將一個cookie的域設置成服務器所在的域之外的域
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of 'example.com' or of 'foo.example.com' from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of 'bar.example.com' or of 'baz.foo.example.com'. NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to 'public suffixes'. For example, some user agents will reject Domain attributes of 'com' or 'co.uk'.
When a user agent receives a Set-Cookie header field in an HTTP response, the user agent MAY ignore the Set-Cookie header field in its entirety. For example, the user agent might wish to block responses to 'third-party' requests from setting cookies。
The Secure attribute limits the scope of the cookie to 'secure' channels (where 'secure' is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
httpOnly屬性和secure是獨立的,一個cookie可以同時設置這兩個屬性。
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via 'non-HTTP' APIs (such as a web browser API that exposes cookies to scripts). Note that the HttpOnly attribute is independent of the Secure attribute: a cookie can have both the HttpOnly and the Secure attribute.
User agents ignore unrecognized cookie attributes (but not the entire cookie).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value SHOULD encode that data, for example, using Base64 [RFC4648].
To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.
If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. Notice that servers can delete cookies by sending the user agent a new cookie with an Expires attribute with a value in the past.
通常cookie值是在服務端設置,但也可以通過js在客戶端設置,另外
3.1)編碼方式(Java中的httpclient包)的http請求可以直接在請求頭上加入cookie;
3.2)iOS的UIWebview可以在loadRequest構造帶cookie的reqeust;
3.3)Android的Webview可以通過CookieManager來設置cookie;
通過http的response頭,會將服務端設置的所有的cookie都發送到客戶端,發送的內容是cookie的name、value及已設置的全部屬性
通過http的request頭,瀏覽器也不是發送它所接收到的所有Cookie,它會檢查當前要請求的域名以及目錄, 只要這二項目與Cookie對應的Domain和Path匹配,才會發送。對于Domain則是按照尾部匹配的原則進行的。發送的內容只有name和value,其他的屬性是不發送的。
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned.
因而當客戶端發送兩個同名的cookie時,服務端是無法區分這兩個cookie的歸屬。
Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.
有兩種方法可以截獲他人的cookie,
5.1). 通過XSS腳步攻擊, 獲取他人的cookie
5.2.) 想辦法獲取別人電腦上保存的cookie文件(這個比較難)
可以通過一些插件(如edit this cookie)或者其他技術手段進行修改。Secure屬性也有其局限性。
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity
新聞熱點
疑難解答
