http协议之cookie标准RFC6265介绍
cookie是现代web系统开发中非常重要的一个技术,最近对cookie标准RFC6265进行了了解,从中选取了部分内容。
1.cookie的主要作用
因为HTTP协议是无状态的,对于一个浏览器发出的多次请求,WEB服务器无法区分是不是来源于同一个浏览器。所以,需要额外的数据用于维护会话。 Cookie 正是这样的一段随HTTP请求一起被传递的额外数据。
2.cookie的主要作用
除了name、value这两个必备属性外,还有下面几个可选属性(这些属性名都是大小写不敏感的,并且只要设置了浏览器是必须处理的),分别控制cookie的生存周期、可见性、安全性。
2.1) expires:绝对过期时间
如果这个属性的值不能被转换为日期,客户端会忽略该属性。当同一个cookie两次请求的expires值不相同时,新的 可能 会替换旧的。
If the attribute-value failed to parse as a cookie date, ignore the cookie-av.
If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent MAY replace the expiry-time with the earliest representable date
2.2)Max-Age:相对过期时间,以秒为单位。如果该属性的值不是数字,客户端将不做处理。
If the first character of the attribute-value is not a DIGIT or a "-" character, ignore the cookie-av.
If the remainder of attribute-value contains a non-DIGIT character, ignore the cookie-av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.
Max-age和expires这两个属性控制cookie生命周期。 如果两个都设置了,以Max-Age为准。 默认情况下,cookie是暂时存在的,他们存储的值只在浏览器会话期间存在。当浏览器推出后,这些值也就丢失了.
If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until "the current session is over" (as defined by the user agent)。
2.3)path:指定了与cookie关联在一起的网页,默认情况下,cookie会和创建它的网页以及与这个网页处于同一个目录下的网页和处于该目录的子目录下的网页关联,同时不能用这个属性来确定安全性
The scope of each cookie is limited to a set of paths, controlled by the Path attribute. If the server omits the Path attribute, the user agent will use the "directory" of the request-uri’s path component as the default value.
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ("/") character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,the Path attribute cannot be relied upon for security
2.4)domain:如果没有设置cookie的domain值,该属性的默认值就是创建cookie的网页所在的服务器的主机名
If the server omits the Domain attribute, the user agent will return the cookie only to the origin server。但不能将一个cookie的域设置成服务器所在的域之外的域
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com". NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to "public suffixes". For example, some user agents will reject Domain attributes of "com" or "co.uk".
When a user agent receives a Set-Cookie header field in an HTTP response, the user agent MAY ignore the Set-Cookie header field in its entirety. For example, the user agent might wish to block responses to "third-party" requests from setting cookies。
2.5)secure:它指定了在网络上如何传输cookie值。默认情况下,cookie是不安全的,也就是说,他们是通过一个普通的、不安全的http链接传输的。但是如果将cookie标记为安全的,那么它将只在浏览器和服务器通过https或其他安全协议链接是才被传输。这个属性只能保证cookie是保密的。
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)
2.6)HttpOnly:设为true后,只能通过http访问,不能通过document.cookie获取设定为httponly的键值,防止xss读取cookie。
httpOnly属性和secure是独立的,一个cookie可以同时设置这两个属性。
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts). Note that the HttpOnly attribute is independent of the Secure attribute: a cookie can have both the HttpOnly and the Secure attribute.
2.7)cookie属性其他相关内容
User agents ignore unrecognized cookie attributes (but not the entire cookie).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value SHOULD encode that data, for example, using Base64 [RFC4648].
To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.
If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. Notice that servers can delete cookies by sending the user agent a new cookie with an Expires attribute with a value in the past.
3.cookie值在何处设置
通常cookie值是在服务端设置,但也可以通过js在客户端设置,另外
3.1)编码方式(Java中的httpclient包)的http请求可以直接在请求头上加入cookie;
3.2)iOS的UIWebview可以在loadRequest构造带cookie的reqeust;
3.3)Android的Webview可以通过CookieManager来设置cookie;
4.cookie如何传输及规则
4.1服务端—》客户端
通过http的response头,会将服务端设置的所有的cookie都发送到客户端,发送的内容是cookie的name、value及已设置的全部属性
4.2cookie属性其他相关内容
通过http的request头,浏览器也不是发送它所接收到的所有Cookie,它会检查当前要请求的域名以及目录, 只要这二项目与Cookie对应的Domain和Path匹配,才会发送。对于Domain则是按照尾部匹配的原则进行的。发送的内容只有name和value,其他的属性是不发送的。
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned.
因而当客户端发送两个同名的cookie时,服务端是无法区分这两个cookie的归属。
Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.
5.cookie是否可以被截获
有两种方法可以截获他人的cookie,
5.1). 通过XSS脚步攻击, 获取他人的cookie
5.2.) 想办法获取别人电脑上保存的cookie文件(这个比较难)
6.cookie是否可以被非法修改
可以通过一些插件(如edit this cookie)或者其他技术手段进行修改。Secure属性也有其局限性。
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity
相关推荐
综上所述,HTTP协议通过RFC文档进行标准化,其发展历程从HTTP/1.0到HTTP/1.1,逐步完善了网络通信的各个方面,为互联网的应用提供了坚实的基础。通过阅读这些RFC文档,可以深入了解HTTP协议的工作原理和细节,对理解...
RFC959是FTP协议的官方标准文档,它定义了FTP的命令和响应格式、连接管理、数据传输机制以及用户认证方式等。FTP支持两种工作模式:主动模式和被动模式。主动模式下,客户端首先建立控制连接,然后服务器主动建立...
HTTP(Hypertext Transfer Protocol)超文本传输协议是互联网上应用最为广泛的一种网络协议,它定义了客户端(通常是Web浏览器)和服务器之间如何交换数据的标准。RFC2616是HTTP/1.1版本的官方规范,由互联网工程...
HTTP(Hypertext Transfer Protocol)...总之,HTTP协议RFC2616是理解Web工作原理的基础,它定义了一套标准,使得Web服务能够高效、可靠地运行。无论是开发Web应用,还是进行网络编程,对RFC2616的理解都是至关重要的。
此文档定义了超文本传输协议HTTP/1.1的标准规范,作为对先前版本RFC2068的更新与补充,旨在为互联网社区提供一套统一的应用层协议标准。 HTTP/1.1协议的设计初衷是为了满足分布式、协作式和超媒体信息系统的需求,...
3. **首部字段**:HTTP协议中的请求和响应都包含首部字段,这些字段提供了关于请求或响应的附加信息,如Content-Type(指定实体内容的MIME类型)、Accept(客户端可以接受的媒体类型)、Cookie(用于会话管理)等。...
### HTTP协议1.1 RFC2616中文说明知识点概览 #### 1. 引言 **1.1 目的** 超文本传输协议(HTTP)作为一种应用层协议,最初设计目的是为了支持分布式、协作式的超媒体信息系统。HTTP/1.1作为其最新的版本,在1990年...
HTTP协议的发展经历了多个版本,其中HTTP/1.1是最为广泛使用的版本,由RFC 2616标准文档定义。在讲解知识点前,需明确几个术语:RFC(Request For Comments)是互联网技术文档的一系列编号,用来记录互联网相关技术...
超文本传输协议(HyperText Transfer Protocol, HTTP)是一个面向应用层的标准协议,旨在支持分布式、协作式、超媒体信息系统。HTTP自1990年万维网(World Wide Web, WWW)兴起以来便开始广泛应用。最初的HTTP/0.9...
RFC 2109是互联网工程任务组(IETF)网络工作小组发布的...虽然随着时间的推移,RFC 2109已被RFC 6265所取代,后者提供了更为现代和安全的Cookie管理机制,但RFC 2109作为早期的标准,为Web状态管理奠定了重要的基础。
《超文本传输协议(HTTP/1.1)》作为互联网领域的一项重要标准,由IETF(Internet Engineering Task Force,互联网工程任务组)发布,编号为RFC2616,于1999年6月正式发布。这份文档是由R. Fielding等人共同编写的,...
在互联网技术领域,HTTP(超文本传输协议)是Web应用的基础,而RFC2616文档则是定义HTTP/1.1协议标准的重要文献。本文旨在通过对《rfc2616中文翻译完全版本》的分析,揭示HTTP/1.1协议的关键概念、架构与运作机制,...
首先,RFC(Request for Comments)是互联网工程任务组(IETF)发布的技术规范,用于记录和传播互联网相关的协议、标准和技术建议。在给定的压缩包中,"rfc2616.pdf"即是HTTP/1.1协议的官方RFC文档,而"2616zh_...
这个标准协议文档,"Http RFC1945中文版.pdf",详细阐述了HTTP 1.0的规范,它是由加州大学伯克利分校、麻省理工学院以及微软的专家们共同制定的,其权威性和实用性不言而喻。 HTTP 1.0是HTTP协议的第一个正式版本,...
HTTP 1.1 RFC2096 是互联网标准组织IETF发布的HTTP协议版本1.1的一个规范,全称为“Hypertext Transfer Protocol -- HTTP/1.1”。此规范定义了HTTP协议的工作方式、请求和响应的格式以及各种HTTP头字段的使用等。...