1. What is Cookie
Simply put, a cookie is a piece of personal information saved by a website in the user's browser. With a cookie, the user can avoid entering a user name or even a password the next time they visit the website (for example, when logging in to Taobao.com, the user name column is displayed). is auto-filled, and passwords are required for security), which varies from site to site. In addition, after the user logs in to the website with the account, he must rely on the cookie to maintain the session to maintain the online state. Once all the cookie data corresponding to the current website is cleared, the user will be offline immediately. Really long-winded, look at the picture:
This is the cookie in the OSChina login state. Next clear it, then refresh, the result is as follows:
It can be seen that without the cookie, the user immediately becomes a tourist identity, that is, the information for the user to maintain the login state no longer exists. So, if there is no cookie, many websites will not be able to log in. For another example, when a user visits a shopping website such as JD.com, they can directly add the selected product to the shopping cart without logging in. The principle is also based on cookies to record the user's shopping cart data. As long as it is not cleared, the next time When opening the website, the shopping cart can still display the added items.
2. Hazards of Cookie Data Leakage
Taking OSChina above as an example, if I open the second browser (Cheetah), visit oschina.net as a visitor, and then take out the oscid value from the previous browser (Chrome) cookie and inject it into the second browser , what will be the result.
Inject this oscid value through the script, and then refresh, you can see that the visitor identity has become an online user. That is to say, some websites map to a member ID through one or more cookie values. As long as any browser of any computer contains these cookie values, the member can log in automatically. Of course, this cookie value will have an expiration time (determined by the response header of the website system) to ensure a certain degree of security. In addition, oschina should disable js reading for the oscid value of the cookie to prevent the unknown XSS from the website. The site script vulnerability led to the theft of user accounts, so for demonstration purposes, I took it out of the browser's settings function.
The role of cookies is not small, and it brings great convenience to users and website operators, but at the same time it inevitably brings some security concerns. As long as we maintain security awareness and do not log into sensitive accounts on public computers, we can seek advantages and avoid disadvantages. , enjoy cookies.