problem:
Http protocol is a stateless protocol, some customers want the server to record when the information we need to end the use of Cookie technology.
What is a Cookie?
Cookie is a small data stored in a text file on your computer (client) you are.
When the web server sends the web page to the browser after the connection is closed, the server does not record user information.
Cookie role is to solve the "how to record the client's user information":
When a user accesses a web page, his name can be recorded in a cookie.
When a user accesses the page, you can read the user access records in a cookie.
Cookie attributes
name
Cookie name
value
Value corresponding to the name
path
path:www.abc.com/aa/bb
Settings page under which some paths allow access Cookie
domain
Same Origin Policy
domain= '.baidu.com'
All domain names ending .baidu.com can access current cookie
expires/Max-Age
The maximum survival time / expiration time
0 indicates that with the closure of the browser is closed
After several positive specific time expired
Negative never expires
secure
Indicates that the current Https cookie can only be used to transport a certain extent, it would be relatively safer
http
httponly = true indicates that the current can only be used to transmit cookie can no longer http or https operating js
Size
cookie size
The data size of a cookie can store itself is generally 4kb
Js used Cookie
Cookie settings of
function setCookie(cname,cvalue)
{
document.cookie = cname + "=" + cvalue ;
}
Gets the value of the Cookie
function getCookie(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i<ca.length; i++)
{
var c = ca[i].trim();
if (c.indexOf(name)==0) return c.substring(name.length,c.length);
}
return "";
}
Cookie value is detected
function checkCookie()
{
var username=getCookie("username");
if (username!="")
{
alert("Welcome again " + username);
}
else
{
username = prompt("Please enter your name:","");
if (username!="" && username!=null)
{
setCookie("username",username,365);
}
}
}
JavaWeb use Cookie
Cookie may bring trouble
Scripting attacks
Although there is no cookie virus less dangerous, but it still contains some sensitive information: user name, computer name, browser and have visited the Web site. Users do not want these contents leak out, especially when there is time which also contains private information.
This is not alarmist, called cross-site scripting attacks (Cross site scripting) can achieve this purpose. Cross-site scripting attacks often tend to exploit vulnerabilities implantation site script code or web pages referring to the third method script code in a website page, there may have cross-site scripting attacks, when subjected to cross-site scripting attacks, script commands will read All the contents of the current site Cookie (Cookie has scope restriction does not exist), then submit Cookie content to the server specified (eg: AJAX) in some way. Once Cookie fall into the hands of the attackers, it will reproduce its value.
It recommends that developers in the Cookie output sensitive content to the client (for example: the content can identify the user):
(1) Set the script Cookie can not be read, so that solve the above problem to a certain extent.
(2) Cookie content is encrypted, embedded timestamp prior to encryption, to ensure that after each encrypted ciphertext is different (and to prevent message replay).
(3) When a client requests, or regularly updated every time the contents of Cookie (ie: based on the second strip, the re-encrypted)
(4) Every time a timestamp is written to Cookie, the database needs to record the last time stamp (Cookie prevent tampering or replay attacks).
(5) submitted by the client cookies, decrypt and check the time stamp, the time stamp is less than if the data recorded in the database, i.e. meaning attacks occur.
Based on these recommendations, even if stolen Cookie, Cookie is because of random updates, and content without regularity, an attacker can not use them. Also use a timestamp is to prevent another big advantage Cookie tampering or replay.
Cookie theft: collect user cookie and sent to the hacker attackers. The attacker will use the cookie information through legitimate means to enter the user account.
Cookie tampering: the use of security mechanisms, thus rewriting the code to join attacker Cookie content, in order to continue the attack.