First, what Cookie that?
HTTP protocol is stateless, every data exchange is completed on end server and client will close links, each exchange data needs to establish a new link. For example: I visit Taobao to buy things, I took a fancy to Epro lollipop, and I place my order, the server does not know who I am, and I have an ID, you can identify my ID, now you do not even know who am I? I go, how do I pay? ? ?
Our business is stateful, therefore, produce a Cookie, used to record status.
Cookie is in the text sent by the server to the user's browser and stored in a local directory of a small piece of data , it will initiate a request to be carried on the same server again after browser. Two requests are used to inform the server whether from the same browser.
Cookie is a text file stored in the directory browser when the browser is running, is stored in RAM. Once you exit from the site or network server, Cookie can also be stored on the hard drive of the computer.
Two, cookies use
1. session state management (such as user login status, shopping cart, or other information to be recorded).
It records the user's login status cookie is the most commonly used applications. Usually a web server will be issued after the user logs signature to mark the success of the validity of the session, so that eliminates the need for multiple user authentication and visit the website.
It records the user's access status, such as navigation ah, the user registration process ah.
2. personalization settings (such as user-defined settings, themes)
Cookie is also often used to remember user information related to the use and user-friendly sites related to their own services.
For example: QQ number of users on ptlogin will remember one login, so that the next time will be the default login fill QQ number.
Cookie also be used a number of user-defined functions and memory. When users set custom features, just stored in the user's browser when accessing the server the next time will be set according to the performance of the user's local user's cookie. For example google search settings (language, the number of each page, and open the way search results, etc.) is stored in a COOKIE years.
The most typical is the company's TCSS system. It uses Cookie to record operating rate and the turnover rate of the user click stream and a product or business practices. Of course, functions can be IP or http header referrer in the implementation, but some of the more accurate Cookie.
Cookie the Session --------- this type of cookie is only valid during the session, that is, when you close the browser when it is deleted browser. Set session cookie approach is: you can not set the Expires creating cookie.
Cookie Persistent ------ persistent cookie name suggests is a type of long-term will take effect in the user session. When you set a cookie Max-Age attribute to a month, then the http request in the month of each relevant URL's will with this cookie. It can record information many users of initialization or custom, such as when you first log on and log in weak states and so on.
Cookie Secure ----------- security cookie is in the form https access to ensure that the cookie in the process passed from the client to the Server is always encrypted. Doing so greatly reduces the cookie content directly exposed to hackers before and the probability of being stolen.
Cookie HttpOnly -------- Current mainstream browsers already support the httponly cookie. 1.IE5 + 2.Firefox 1.0+ 3.Opera 8.0+ 4.Safari / Chrome. On the support httponly browser, the cookie is set to httponly only pass on http (https) requests. That httponly cookie on the client-side scripting language (javascript) invalid, thus avoiding situations when cross-site attacks JS steal the cookie. When you use javascript when setting the cookie of the same name, only the original httponly value will be sent to the server.
Party cookie-3rd -------- first-party cookie is a cookie planted in the domain or subdomain of the browser address bar. Third-party cookie is grown under different from the browser address bar of the domain name. For example: when a user accesses a.com, in ad.google.com set a cookie, when accessing b.com, it is also ad.google.com set a cookie. This scenario often occurs in google adsense, like Ali Mama advertising service providers. Advertisers can collect some of the habits of users and access history.
Cookie - Super ----------- super cookie cookie is set on the public domain prefix. Usually abcom the cookie may be set abcom and b.com, and not allowed to set on .com, but unfortunately the history of some of the older version of the browser as the filter for the new suffix had produced insufficient results in super cookie.
Cookie - Zombie -------- zombie cookie are those, delete the cookie will automatically be deleted can not afford to rebuild. Zombie cookie is dependent on other local storage methods, such as flash the share object, html5 of local storages, etc., when the user deletes the cookie, automatically read from other local storage in a cookie backup, and re-planting.
Four, Cookie implementation
Cookie is a HTTP request and response headers in the client and server side transmitted, a Cookie object a Set-Cookie, different browsers can store a different number of Cookie.
several common attributes of the cookie: document.cookie = "Key = value; the Expires = failure time; path = path; domain = domain name; secure"; The Cookie property will not be sent back to the browser to Server.
name: the cookie name a uniquely determined. Generally cookie names are case-insensitive.
value: string value is stored in a cookie. Best be url encoded into the cookie name and value.
expires: expiration time, timestamp indicating when the cookie should be deleted. If you do not set this timestamp, the browser will soon remove all the cookie when the page is turned off; but you can also set up their own time to delete. This value is in GMT format, if the client and server side inconsistent time deviations will use expires.
path: represent the cookie affect the path, with the browser would like to specify the path to send the cookie matching field based on the configuration.
Domain: the cookie domain for which it is effective. All requests are sent to the domain that contains cookie information. This value can contain subdomains (eg: yq.aliyun.com), may not include it (eg: .aliyun.com, valid for all the sub-domains of aliyun.com) .- Domain identification can specify which host to accept Cookie. If not specified, the default is the current host of the document (does not include sub-domain). If the Domain specified, typically contain subdomain. For example, if the set Domain = mozilla.org, also included in the Cookie subdomain (e.g. developer.mozilla.org ). Path identifier which specifies the path of the host can accept cookies (URL path must be present in the request URL).
secure: safety signs, after the specified only be sent to the server using SSL link when the link is http if it is not delivered this information. Even setting up secure property also does not mean that others can not see your machine locally stored cookie information, so do not put a cookie on important information to the server-side setting, marked as the Secure Cookie can only be encrypted by HTTPS protocol request sent to the server. But even set up Secure mark, Cookie transmission of sensitive information should not be passed because Cookie has its inherent insecurity, Secure mark also does not provide security.
max-age: and expires the same effect, used to tell the browser how long the cookie expires (in seconds), rather than a fixed point in time. Normally, max-age is higher than the priority expires.
HttpOnly: marked the HttpOnly Cookie JavaScript script can not be invoked. Cross-site scripting attacks (XSS) often using JavaScript document.cookie API Cookie steal users' information, so use HttpOnly mark can prevent XSS attacks to some extent. Tells the browser does not allow script to change this value by document.cookie, the same value is not visible in the document.cookie. But Zhang http request will still carry this cookie. Note that this value can not be obtained though in the script, but still exists in the form of a file in the browser installation directory. This setting is usually set on the server side.
Scripted planting Cookie: JavaScript scripting language or similar lodging in the browser can also be set Cookie. E.g. JavaScript: document.cookie = "key = newvalue";
Browser Related:
a) Cookie specification states that browsers support at least 300 cookie, each cookie limit is 4kb; each domain name (server) at least 20 cookie.
b) browsers support delete and disable cookie
c) in the browser address bar: javascript: alert (document.cookie) can see all the cookie
under d) By default, IE browsers only support is provided with a P3P "CP" ( Compact Policy) marked the third party Cookie.
6.Cookie session hijacking and theft (hijacking)
relative to many of the shortcomings and deficiencies Session authentication methods, most of the sites are as Cookie uniquely identifies the user. In this case, the user can simulate a hacker to steal the user's cookie by request behavior, but the server is unable to distinguish in the end is from the user or hackers.
Cookie is given below as the user identification of the risks and safety hazards:
. A network monitoring
Data transmission over the network will be monitored are taken, especially in public, non-encrypted network environment (free wifi). These data also include conventional http (https non-encrypted channel) all session, including HTTP session in the Cookie. When hackers get a cookie plaintext can simulate user actions, such as changing passwords, and other consumer behavior.
The most fundamental way to solve this problem is to take the https protocol encrypts the content and cookie over an SSL channel. There are also some secondary protection methods can be used as transitional and compromise.
b. DNS cache abnormalities and other DNS domain name server
by DNS cache or DNS service provider of some of the vulnerabilities (www.baidu.com), a hacker can www.baidu.com by pointing to the subdomain hack.www.baidu.com hacker own IP. A hacker can go to the public by way http://hack.www.baidu.com/a.png picture environment, so you can get to all the cookie under baidu.com, including setting up Cookie HttpOnly attribute.
Solution: 1. reduce invalid configuration 2.ISP dns service providers to strengthen security of self-management. 3. HTTPS request by the request encryption and authentication, so hackers difficult to obtain certification from the certificate authority, then the user when in operation will receive significant tips.
c. Cross-site scripting XSS- steal Cookie
Because JavaScript and other scripting languages can read the Cookie value within the pages of the document, at the same time can issue any request to any server. Taken together, the hacker can script cookie appropriation in the current document. If the address is used by hackers https://attacker.com/stole.cgi, then send a attacker.com Secure Cookie will also be clear text.
Cross-site scripting is a web security immutable topic. Web Developer is responsible been filtered out malicious code. Meanwhile, HttpOnly Cookies can not be read by client-side scripting, which greatly reduces the risk of Cookie stolen.
d. Cross-site scripting XSS-hijacking
When hackers can insert a paragraph on www.test.com JS script, then do not disable the user JS's very easy to receive the hijacking attacks. Hackers take advantage of the user's browser to make HTTP requests to the test.com itself, so all cookie associated with the user will continue to exist (including HttpOnly and Secure Cookie). For example: Share worm Renren occurred.
For this attack, in addition to avoid cross-site scripting vulnerabilities outside, you can take the form of code of conduct verification avoid a certain degree.
e. Cross-site scripting XSS- proxy requests
older versions of browsers allow users to use XMLHttpRequest issue proxy requests, a hacker can set up a proxy by the full amount of the local cookie sent to the proxy server, and then forwarded from the proxy server to the original server. Of course, this is soon to be banned.
f. Cross-site request forgery -CSRF
CSRF mainly hackers forged request URL into a picture or other static resources, this kind of very low cost, and spread the image of the force and very large.
For example: Qzone signature to modify the address is: http: //qzone.qq.com/cgi-bin/modify nick = 123?
Hacker to traffic and put a lot of forum or blog. So many people in unknowingly on the implementation of certain operations.
7. Cookie shortcomings and deficiencies
a) discussed the most is the privacy issues
b) Cookie introduced various safety issues
c) departure from the REST software architecture.
d) inconsistent state, resulting in backward cookie does not reset.
c) Excessive use of the waste flow is an HTTP request
Reference Notes --- https://blog.csdn.net/wang_gongzi/article/details/82733424
https://blog.csdn.net/u014753892/article/details/52821268
https://blog.csdn.net/zhangquan_zone/article/details/77627899