background
HTTP protocol is defined using a mechanism to record information about the client and server interaction, this mechanism is called cookie, cookie specification defines the format of the server and client interaction information, lifetime, range, safety.
Cookie format
Cookie information is stored in the text information, the client and server interaction process, cookie information is added in the HTTP message header is transmitted, the cookie information from the key / value pairs. The following is an example of the HTTP header cookie:
Set-Cookie: key = value; Path = /
information stored in the Cookie cookie itself contains attributes and user-defined attributes, a cookie can contain only one custom key / value pairs. Cookie itself attributes "Comment", "Domain", "Max-Age", "Path", "Secure", "Version".
Comment cookie attribute is generated with the description of the cookie;
Domain attribute definition can access the cookie domain name, for some large sites, if you want the cookie can be shared in a subsite, you can use this property. Domain is provided, for example .bigsite.com, and the sub1.bigsite.com sub2.bigsite. com can access saved in the client's cookie, then also need to Path is set to /.
Effective time Max-Age attribute defines the cookie, with the second counting, when expired, the cookie information from the client is not attached to the HTTP message header is sent to the server.
Can access the cookie path Path attribute defines the site pages, Path is generated cookie path, this time may be the cookie path, and which sub-page access in default path; Path can be set / the cookie all pages can be accessed at the site.
Secure security attribute values define the cookie, when the value must be true before the cookie from the client in an HTTP message in the attached state HTTPS sent to the server, when the HTTP cookie is not transmitted; to be false when the Secure transfer cookie, Secure HTTP by default in the state is false.
Version attribute defines the version of the cookie, the cookie is defined by the creator.
Cookie creation
Cookie can be created on the server side, then additional cookie information in the HTTP header of the message spread to the client, if the cookie is defined validity period, this stored locally on the client disk. Save the cookie file is a text file, so do not worry about the contents of this file will be executed and destroyed the customer's machine. Web-side development language has created the cookie method or function, as well as set a cookie attributes and add custom properties of a method or function, and finally return the cookie attached to the client's HTTP message header.
When you create a cookie if you do not specify the effective time of survival, the cookie is only valid before closing the browser, the cookie will transfer server and client, but not saved on the client's disk, open a new browser will not get the original creation of cookie information. Cookie information stored in the local will be saved to the currently logged-on user special directory, save the cookie file name will be included in the cookie is created the page where site's domain name, when the browser connects to the site again, the stored selected directory from the local cookie effective cookie the site, which will be stored in the additional information in the HTTP header sent in to the server, the server program can provide "memory" or personalized services to customers based on the last access information stored in the cookie.
Cookie can be created in addition to the server-side, client-side scripting may be (such as javascript) created by the client browser. Like the cookie cookie nature and create server-side client created can be saved locally, can also be sent to the server is the server program reads.
Cookie Usage
It can be seen from the definition of the cookie, as cookie information general information exchange protocol HTTP client and server for recording needs to be persisted for use. It is generally created by the server information to be recorded, and then passed to the client, extract information from the client by HTTP messages, saved on the local disk. When the client re-access the server, the disk is read out from the machine information previously saved, appended to the HTTP message sent to the server, HTTP server reads the information from the message, for further processing in accordance with actual application requirements .
Server-side cookie creation and reading again function normally achieved by a server-side programming language, the client cookie is stored, read generally provided by the browser, and security aspects of the cookie can be set, such as whether the machine can save cookie. Since the cookie information stored in plain text in a text file, some of sensitive information such as passwords, bank account if you want to save in the local cookie files, preferably in encrypted form.
other
Another concept is similar to the cookie session (Session), the session usually record the client and server-side connection from the client browser on the server to close the browser persistent information period. Sessions typically stored in memory is not saved to disk. Session cookie mechanism can be achieved by, for clients that do not support cookie, the session can be implemented using URL rewriting way. A session can be understood as the memory cookie. Use the session would negatively affect system scalability, when the server-side session object replication to synchronize on many servers, system performance will suffer greater damage, especially when the session object larger. In this case can be used cookie, the information to be recorded stored in the client, the server transmits to each request, the server does not maintain state information, to avoid performance degradation copy session on the server side caused multiple machines.
References:
[1] http://www.ietf.org/rfc/rfc2109.txt
[2] JavaScript: The Definitive Guide, 4th Edition David Flanagan
[3] Core Servlets and JavaServer Pages ?: Volume 1: Core Technologies, 2nd Edition Marty Hall, Larry Brown
Note:
1.domain represents the domain where the cookie, the default address for the request, such as the site at www.test.com /test/test.aspx, then the domain default is www.test.com. The cross-domain access, such as domain A is t1.test.com, domain B is t2.test.com, then make a production in Domain A Domain A and Domain B can access the cookie will be set to the cookie's domain .test.com; If you want to make a production of a domain a domain and the domain B can not access the cookie will be able to access the domain's cookie to t2.test.com.
2.path represents the directory where the cookie, asp.net default is / is the root directory.
There are on the same directory server as follows: / test /, / test / cd /, / test / dd /,
Are located in the path of a cookie1 / test /,
cookie2 the path is / test / cd /,
Then the test in all pages are accessible to cookie1,
The / test / and / test / dd / sub pages can not access cookie2. This is because the cookie allows access to pages in its path path.
3. The browser will have the same domain and path of the cookie is saved in a file with * are separated between cookie.
4. The value of the cookie containing key-value pairs: had previously been using a single-nam = value key-value pairs of cookie, it comes with multiple sub-value pairs they covered. Now I began to understand. cookie format containing a plurality of sub-key is a name = key1 = value1 & key2 = value2. Can be understood as a single string multi-key key-value pairs stored in a custom, wherein the key-value pairs of & delimiter, of course, can customize a delimiter, but by acquiring & asp.net is divided as symbol.
More: