Introduction
If you have recently visited some standard foreign websites, a dialog box may often pop up, saying that this website needs to visit your cookies for a better experience and tracking, and ask whether you agree or disagree, for this kind of more civilized I generally agree with the approach.
But when I turned around, why did I never pop up this prompt when I visited a domestic website? This is a question worth pondering, and maybe after you read this article, you will have the answer.
The role of cookies
So what do cookies do? HTTP cookies are a small part of the data sent by the server to the browser. After the browser receives this data, it can store it for its own use, or send it to the server for verification of some data.
By storing some useful data in cookies, the stateless HTTP protocol can be turned into a stateful session connection, or it can be used to save the login authority. You can log in without a password next time, which is very useful.
Generally speaking, cookies are used in three areas:
- Session management is used to save the login status, so that HTTP requests can carry status information.
- User-defined settings, these user-specific fields, need to be stored in cookies.
- Track user behavior information.
A long, long time ago, when there was no modern browser, the only storage on the client was cookies, so cookies were also used as client storage, but after modern browsers, it is generally recommended to store the data stored on the client To other storage methods.
why?
Because the data in cookies will be automatically brought with each request and sent to the server side, if too much data is stored in the cookies, it will cause the performance of the server to decrease.
Create cookies
Because cookies are the client's local storage, if the server wants to set the client's cookies, by setting Set-Cookie in the response header, the browser will store the corresponding cookies content in the browser after receiving the response header. local.
Then the Cookie header will be included in subsequent server requests. At the same time, cookies can also carry attributes such as expiration time and sending restrictions.
First look at the format of Set-Cookie:
Set-Cookie: <cookie-name>=<cookie-value>
For example, the following is a response from the server:
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: name=flydean
Set-Cookie: site=www.flydean.com
When the browser receives this response, it will set the corresponding value in the local cookies, and bring these values in the form of the cookie header in subsequent requests:
GET /test.html HTTP/2.0
Host: www.flydean.com
Cookie: name=flydean; site=www.flydean.com
A Cookie class is provided in netty, specifically used to represent cookies. This class provides the basic properties of cookies, and then through the use of:
response.headers().add(HttpHeaderNames.SET_COOKIE, ServerCookieEncoder.STRICT.encode(cookie));
To set the response header.
cookie lifetime
There are two types of HTTP cookies. One is session cookies, which will be deleted after the session ends.
There is also a kind of cookie that sets the expiration time by specifying Expires or Max-Age:
Set-Cookie: id=abcdef; Expires=Thu, 31 May 2021 08:00:00 GMT;
Expires is the header defined in HTTP1.0, and Max-Age is the header defined in HTTP1.1.
Permission control of cookies
HTTP provides two attributes to control the permissions of cookies, namely Secure and HttpOnly.
If cookies have the Secure attribute, cookies will only be sent to the server when the HTTPS protocol is used. If the HTTP protocol is used, cookies information will not be sent.
And, if it is in the case of http, the server side is not allowed to set the Secure attribute to the cookie.
But setting the Secure attribute does not mean that cookies are safe, because cookies on the browser side can be obtained from other means.
Another attribute is HttpOnly. If cookies are set to HttpOnly, then cookies are not allowed to be accessed by JavaScript. By setting HttpOnly, we can improve the security of client data:
Set-Cookie: id=abcdef; Expires=Thu, 21 May 2021 08:00:00 GMT; Secure; HttpOnly
Cookies can also add Domain and Path attributes to mark the URL to which cookies can be sent.
Among them, Domain represents the domain name, and Path represents the path.
If the Domain is not set, the default is the host where cookies are set. This host does not contain subdomains. If the Domain is manually specified, the subdomain will be included.
For example, if we set Domain=flydean.com, then the subdomain: doc.flydean.com will also share this cookie.
Path is used to match the path of the URL, and only the matched URL can send cookies.
In addition, HTTP also provides a SameSite attribute, which indicates whether to send cookies to a third-party website if it is in a CORS environment, which can protect the information of the website to a certain extent.
There are three possible values for SameSite, which are Strict, Lax, and None. If in the case of Strict, then the cookie is only sent to the same site as the site where it was created. Lax is similar to Strict, except that it sends a cookie when the user navigates to the original site of the cookie, such as by visiting a link to an external site. None can be used in the original website and cross-site resource access, but it must be done in a secure environment (set the Secure attribute). If SameSite is not set, then the performance is consistent with Lax.
E.g:
Set-Cookie: name=flydean; SameSite=Strict
Third-party cookies
We know that cookies are related to domain. If the domain of cookies is the same as the currently visited page, this cookie is called first-party cookies. If it is different from the current page, such as accessing third-party pictures, scripts, css, etc., the third-party server may send their own cookies. Such cookies are called third-party cookies. Third-party cookies are mainly used for advertising or Track user behavior information.
For some browsers, third-party cookies may be disabled, which may cause some functional problems when visiting the website. You can mainly observe it.
Summarize
Using cookies can help us do many things, but we must also pay attention to the safety of cookies.
This article has been included in http://www.flydean.com/05-http-cookie/
The most popular interpretation, the most profound dry goods, the most concise tutorial, and many tips you don't know are waiting for you to discover!
Welcome to pay attention to my official account: "Program those things", know technology, know you better!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。