The birth background of cookies
HTTP is "stateless", which is both an advantage and a disadvantage. The advantage is that there is no state difference between servers, and clusters can be easily formed, but the disadvantage is that it cannot support transaction operations that need to record state.
The Cookie technology invented later added "memory ability" to HTTP.
What are cookies?
The same is true for HTTP's cookie mechanism. Since the server can't remember it, find a way to remember it externally. It is equivalent to the server pasting a small note on each client, which contains some data that only the server can understand. When necessary, the
client sends this information to the server, and the server can recognize the other party when it sees the cookie. Who is it.
(Equivalent: the server tags each client!!!)
How cookies work
When the user accesses the server for the first time through the browser, the server definitely does not know his identity. Therefore, it is necessary to create a unique identification data, the format is "key=value", and then put it into the Set-Cookie field, and send it to the browser along with the response message.
The browser receives the response message, sees the Set-Cookie in it, and knows that this is the identity given by the server, so it saves it, and automatically puts this value into the Cookie field and sends it to the server when it requests the next time.
Because there is a cookie field in the second request, the server knows that the user is not a newcomer, and has been here before, so it can take out the value in the cookie, identify the user's identity, and then provide personalized services.
However, because the server's "memory ability" is really poor, a small note is often not enough. Therefore, the server sometimes adds multiple Set-Cookies to the response header and stores multiple "key=value". But the browser does not need to use multiple cookie fields when sending, as long as they are separated by ";" in one line.
From this picture, we can also see that cookies are stored by the browser, not the operating system. Therefore, it is "browser-bound" and can only take effect within this browser.
If you change your browser or computer, there is no cookie corresponding to the server in the new browser, just like taking off the clothes with the note on it, the "forgetful" server will not recognize it, and you can only go Go through the Set-Cookie process again.
Properties of cookies
A cookie is some data that the server entrusts the browser to store in the client, and these data usually record the key identification information of the user. Therefore, it is necessary to use some means to protect the "key=value" to prevent leakage or theft. These means are the attributes of cookies.
The lifecycle of cookies
The life cycle of the cookie should be set, that is, its validity period, so that it can only be used for a period of time, just like the "freshness period" of food. Once this period is exceeded, the browser will consider the cookie invalid and delete it in the storage. It is also not sent to the server.
The expiration date of the cookie can be set using the two attributes Expires and Max-Age.
"Expires", commonly known as "expiration time", uses an absolute time point, which can be understood as a "deadline" (deadline). "Max-Age" uses relative time, and the unit is second. The browser can get the absolute time of failure by adding Max-Age to the time point of receiving the message.
Expires and Max-Age can appear at the same time, and the expiration time of the two can be consistent or inconsistent, but the browser will give priority to Max-Age to calculate the expiration date.
Scope of cookies
Set the scope of the cookie so that the browser can only send it to a specific server and URI to avoid being stolen by other websites.
The setting of the scope is relatively simple. "Domain" and "Path" specify the domain name and path to which the cookie belongs. The browser will extract the host and path from the URI before sending the cookie, and compare the attributes of the cookie. If the condition is not met, the cookie will not be sent in the request header.
Cookie Security
In JS scripts, document.cookie can be used to read and write Cookie data, which brings security risks and may lead to "cross-site scripting" (XSS) attacks to steal data.
The attribute "HttpOnly" will tell the browser that this cookie can only be transmitted through the browser's HTTP protocol, and access by other methods is prohibited. The browser's JS engine will disable all related APIs such as document.cookie, and script attacks will be impossible. .
Another attribute "SameSite" can prevent "cross-site request forgery" (XSRF) attacks, setting it to "SameSite=Strict" can strictly limit cookies from being sent across sites with jump links, while "SameSite=Lax" is slightly looser , allowing security methods such as GET/HEAD, but prohibiting cross-site sending of POST.
There is also an attribute called "Secure", which means that this cookie can only be encrypted and transmitted using the HTTPS protocol, and the plaintext HTTP protocol will prohibit sending it. But the cookie itself is not encrypted, and it still exists in plaintext in the browser.
Application of Cookies
Identification
One of the most basic uses of cookies is identification, saving user login information, and realizing session transactions.
For example, if you log in to an e-commerce company with your account number and password, the website server will send a cookie to the browser after successful login, the content of which is probably "name=yourid", so that the identity label is successfully attached to you.
After that, when you visit any product page on the website, the browser will automatically send the identity cookie to the server, so the server will always know your identity. On the one hand, it avoids the trouble of repeated logins, and on the other hand, it can automatically record Your browsing records and shopping orders (in the background database or also using cookies) realize "state retention".
ad tracking
You must have seen a lot of advertising pictures when you surf the Internet. Behind these pictures are advertiser websites (such as Google), which will "secretly" paste cookies and strips on you, so that when you go to other websites, other Advertisements can use cookies to read out your identity, then conduct behavioral analysis, and then push advertisements to you.
This kind of cookie is not stored by the visited main website, so it is also called "third-party cookie". If the advertisers are very powerful and the advertisements are everywhere, then it will be more "scary". No matter where you go, it will recognize you through cookies and realize the "precise strike" of advertisements.
summary
- Cookies are some data that the server entrusts the browser to store, giving the server a "memory ability";
- The response message uses the Set-Cookie field to send the Cookie value in the form of "key=value";
- Use the Cookie field to send multiple Cookie values in the request message;
- In order to protect the cookie, it is necessary to set the validity period, scope and other attributes for it. The commonly used ones are Max-Age, Expires, Domain, HttpOnly, etc.;
- The most basic use of cookies is to identify and implement stateful session transactions.