3.1 Introduction
Whether you're
a programmer or just a web user looking for answers, a big part of understanding
cookies is to go into the gory details. This section does just that.
3.2 How does a cookie really
work?
Understanding how cookies really work requires an
understanding of how HTTP works.
Cookies transport from Server to Client and
back as an HTTP header.
(Cookies是从服务端传递给客户端的一些文本数据,在以后访问同一个站点时,浏览器会再把这些数据通过http请求包头发送给服务器。)
The specifications for this header are explicitly laid
out in RFC
2109
.
When a cookie is sent from the server to the browser, an
additional line is added to the HTTP headers (example):
Content-type: text/html
Set-Cookie: foo=bar; path=/; expires Mon, 09-Dec-2002 13:46:00 GMT
This header entry
would result in a cookie named foo
. The value of foo
is
bar
. In addition, this cookie has a path of
/
, meaning that it is
valid for the entire site
, and it has an expiration date of Dec 9, 2002 at
1:46pm Greenwich Mean Time (or Universal Time)
. Provided the browser can
understand this header, the cookie will be set. (当浏览器接收到Set-Cookie的“命令”后,按照预定好的协议,浏览器会将这些保存起来,或文件或内存,这可能取决于cookie的有效期。)
When a cookie is sent
from the browser to the server, the cookie header is changed slightly:
Content-type: text/html
Cookie: foo=bar
Here, the server is made aware of a cookie called foo
,
whose value is bar
.
3.3 Breakdown of Cookie Parameters (Cookie参数明细,主要讲解下Cookie的各个属性)
As we have just seen, a cookie contains more than simply a name and a
value. In fact, a cookie has 6 parameters that can be passed to it:(一个CookieItem具有6方面的描述信息。)
- The name
of the cookie,(必选)
- The value
of the cookie,(必选)
- The expiration date
of the cookie,(可选,默认值-1,表示浏览器关闭则清除。)
- The path
the cookie is valid for,(一般用于浏览器管理cookie用
,用于限定cookie的作用域)
- The domain
the cookie is valid for,(一般用于浏览器管理cookie用,这样,浏览器才知道访问某个url所属的域名时,会在本地cookie文件中找有没有有效的cookie信息要传递给服务端去。)
(注意:domain+path仅仅就是用来限制和匹配cookie的作用域的。因为用户通过浏览器会去访问许多的站点,也有很多站点都用了cookie技术,那么浏览器必须应该记住哪个cookie对应哪个站点呀,另外,即使在同一个站点内,还可以通过path来决定同一个站点的cookie,是否能作用于当前访问的path。比如,当前浏览器中保存了域为.google.com的一个cookie,那么当我们访问google时,浏览器先会看看cookie库中有没有该站点的cookie信息呀,如果有应该传给服务,当然还要通过path做进一步判定,文件中保存的cookie能不能使用于当前访问的path呢。path匹配一般是最大匹配原则,比如我们访问http://code.google.com时,域匹配到.google.com)
- The need for a secure
connection to exist to use the cookie.
Two of these are mandatory (its name and its value). The other
four can be set manually or automatically. Each parameter is separated by a
semicolon when set explicitly. Here is a detailed description of each.
Name, Value
The name of a cookie and its value are
set simply by pairing them together:
... foo=bar ...
The
value of a cookie can also be null, for the purpose of clearing the cookie
value:
(之所以允许为null,是为了为服务器清空客户端的cookie留了后路,服务器可以重置cookie的值的。)
... foo= ...
Expires
The expires parameter lets you determine
the lifetime of the cookie.
... expires=Mon, 01-Jan-2001 00:00:00 GMT ...
If Expires
is
not set explicitly, then it defaults to end-of-session.
(注意:Servlet API提供的是setMaxAge(int seconds),其中当输入参数seconds为-1时,表示end-of-session,即当浏览器关闭时,浏览器把cookie信息从文件中删除。)
The length of a session
can vary depending on browsers and servers, but generally a session is the
length of time that the browser is open for (even if the user is no longer at
that site). (注意:其实server将cookie信息发送给浏览器,浏览器如果不遵守协议,不保存这些cookie信息,server是拿它没办法的。或者说用户把浏览器设置成“不接收第三方cookie”。这样,服务端一般只会用cookie来做些提高用户体验的东西,个性化什么的,也就是说如果用户不在意隐私的话,那么cookie只会给用户带来好处。这里值得一提的是tomcat的HttpSession的JSESSION_ID也是依靠cookie来保存的,严格来讲session机制也有一部分信息保存在客户端,当然服务端保存得更多。)
Path
The path parameter is potentially
the most useful of the 4 optional cookie settings. (Path尽管是可选项,但是它是四个可选项中用的较多的一个。 原因很简单,cookie的发起是服务端的,服务端开发人员愿意使用Path,因为如果把Cookie看成是应用程序的变量,那么path就相当于是命名空间,用path可以限制cookie.name的作用访问。如果某个cookie的path="\",那么相当于定义了一个全局变量,因为浏览器会在访问该站点的任何资源时,带上这个cookie;如果path="\hello\",那么浏览器只会在访问"\hello\"目录及其子目录时,才会带上这个cookie;在访问\advaced\topics\cookie.do资源时,是不会带上这个cookie的。)
It sets the URL path the
cookie is valid within.
Pages outside of that path cannot read
(read这个词用得有点幽默,因为cookies信息是依靠客户端传给服务端的;read好像是server端具备从客户端直接读取信息的权限。但是,如果客户端是个守规矩的家伙时,服务端的开发人员当然喜欢用read,很有主动感。)or use the
cookie.
... path=/promo ...
If
Path
is
not set explicitly, then it defaults to the URL path of the document creating
the cookie.
(如果path不显式设置,那么path被设置成该资源所在的url path.)
Netscape has identified a bug for VERY old versions of
Navigator where the path must
be specified if an expiration is specified.
Furthermore, this path must be set to "/". For more information, browse
Netscape's Cookie Spec at:
http://www.netscape.com/newsref/std/cookie_spec.html
Domain
The domain parameter takes the flexibility
of the path parameter one step further. If a site uses multiple servers within a
domain the it is important to make the cookie accessible to pages on any of
these servers.
... domain=www.myserver.com ...
Cookies can be
assigned to individual machines, or to an entire Internet domain. The only
restrictions on this value is that it must contain at least two dots
(.myserver.com,
not
myserver.com) for the normal top-level domains, or
three dots for the "extended" domains (.myserver.ny.us,
not
myserver.ny.us)
IMPORTANT:
The server issuing the cookie must be
a member of the domain that it tries to set in the cookie. (发布某个cookie的服务器必须也在这个domain里面,也就是说baidu的机器不可能想浏览器发送个google的cookie,尽管报文上是可以这样发,但是浏览器端会校验的。对于这种非法的cookie,浏览器端是不会接受并保存它的。)
That is, a server
called www.myserver.com cannot set a cookie for the domain www.yourserver.com.
The security implications should be obvious.
If Domain
is not set
explicitly, then it defaults to the full domain of the document creating the
cookie.
Secure
The secure parameter is a flag
indicating that a cookie should only be used under a secure server condition,
such as SSL. Since most sites do not require secure connections, this defaults
to FALSE.
3.4 How do cookies end up on my hard
drive?
After a cookie is transmitted through an HTTP header, it
is stored in the memory of your browser
. This way the information is quickly and
readily available without re-transmission. As we have seen, however, it is
possible for the lifetime of a cookie to greatly exceed the amount of time the
browser will be open.
In such cases, the browser must have a way of
saving the cookie when you are not browsing, or when your computer is shut off.
The only way the browser can do this is to move the cookies from memory into the
hard drive.
This way, when you start your browser a few days later, you still
have the cookies you had previously.
The browser is constantly
performing maintenance on its cookies.
(浏览器是要管理这些cookie的) Every time you open your browser, your
cookies are read in from disk, and every time you close your browser, your
cookies are re-saved to disk.(一般浏览器启动时,回去加载磁盘上的cookie信息。) As a cookie expires, it is discarded from memory
and it is no longer saved to the hard drive.
3.5 What are all those entries in my cookies.txt
file?
The layout of Netscape's cookies.txt
file is such
that each line contains one name-value pair
. An example cookies.txt file may
have an entry that looks like this:
.netscape.com
TRUE /
FALSE 946684799
NETSCAPE_ID 100103
Each line represents
a single piece of stored information. A tab is inserted between each of the
fields.
From left-to-right, here is what each field represents:
domain
- The domain that created AND that can read the variable.
flag
- A TRUE/FALSE value indicating if all machines within a given
domain can access the variable. This value is set automatically by the browser,
depending on the value you set for domain
.
path
- The path
within the domain that the variable is valid for.
secure
- A
TRUE/FALSE value indicating if a secure connection with the domain is needed to
access the variable.
expiration
- The UNIX time that the variable
will expire on. UNIX time is defined as the number of seconds since Jan 1, 1970
00:00:00 GMT. (就是java中的long,把这个long转化成时间即可。)
name
- The name of the variable.
value
- The
value of the variable.
3.6 Where does MSIE keep its cookies?
Microsoft keeps its cookies in different locations, depending on the
version of explorer and Windows you are using. The best way to find it is to use
the Windows "Search" feature an look for the "Cookies" folder. More information
can be found here
.
Although the location may be different, the
format is the same. Each individual domain's cookies are stored in their own
file(每个domain是个单独的文件)
, along with the username that accessed the site. For example, if I went to
Yahoo.com, I would get a cookie that is stored in the file
dwhalen@yahoo.txt
.
Note that the username is not
sent with
the cookie(是用来表示使用本机器的用户的)
. See Section 2.10
for more information.
3.7 Are cookies Year 2000 Compliant?
There is no date-specific restriction on the HTTP header used to
transmit cookies. In fact, the only determining factor in whether a cookie will
be accepted is the programming of the client receiving the cookie.
The
major browsers do not have an issue with this. Cookies with expiration dates set
with 2-digit or 4-digit years are understood properly. Naturally, it's always
advisable to use 4-digit years when setting cookies.
原文 : http://www.cookiecentral.com/faq/#3
分享到:
相关推荐
【Cookie快速入门1】 在Web开发中,保持用户状态是至关重要的,特别是在处理登录状态、购物车信息等场景。为了实现在多个HTTP请求之间共享数据,我们通常使用两种主要的技术:Cookie和Session。这里我们将专注于...
接下来,教程进入了对象编程的领域,介绍对象的概念,如何创建和使用对象的方法及属性,以及通过构造函数来初始化对象。同时,还涉及了方法和运算符的重载,以及ASP.NET中的核心对象,如Request、Response和Server,...
通过学习和分析这个项目,开发者可以提升VB6.0编程技能,理解网络编程原理,掌握Cookie操作,以及如何将这些知识应用到实际项目中。同时,这也是一个很好的动手实践机会,有助于加深对编程理论的理解。
6. MVC设计模式:理解模型(Model)、视图(View)和控制器(Controller)的概念,并了解如何在实际应用中运用该模式。 7. 数据库操作:掌握JDBC(Java Database Connectivity)的基础,以便从数据库中获取数据并在...
通过本课程的学习,我们可以了解到Cookie的基本概念、作用以及如何在Java Web开发中设置和使用Cookie。掌握了这些基础知识后,开发者可以更好地利用Cookie来增强Web应用的功能性和用户体验。同时,合理的使用Cookie...
ASP.NET入门详细介绍(VB篇) ASP.NET是微软公司推出的一种用于构建动态网站、Web应用程序和Web服务的技术。它基于.NET框架,提供了丰富的功能和高效性能,使得开发人员能够使用多种编程语言,如VB.NET,来创建强大...
2.5 Cookie快速入门 创建、发送、获取和修改Cookie的基本步骤包括创建Cookie对象、绑定数据、通过响应发送以及从请求中获取Cookie。 三、Session对象(重点) 3.1 Session概述 Session是服务器端状态管理的一种...
4. PHP面向对象编程:理解面向对象编程的概念,包括类与对象的创建、继承、多态以及封装等OOP原理。 5. PHP高级特性:介绍一些高级特性,例如魔术方法、异常处理、命名空间等。 6. PHP与Web交互:学习如何使用PHP与...
11. **会话管理**:理解session和cookie的工作原理,以及它们在保持用户状态中的应用。 12. **模板引擎**:可能还会介绍如何使用PHP的模板引擎,如Smarty,以实现更清晰的代码分离。 通过这个CHM版的PHP入门教程,...
第一章通常会介绍Web开发的基本概念,包括Web应用程序的工作原理、HTTP协议的基础知识以及ASP.NET 2.0在Web开发中的地位。读者将了解到如何安装和配置ASP.NET开发环境,包括Visual Studio和IIS服务器,以及如何创建...
韩顺平老师的"PHP从入门到精通笔记"深入浅出地介绍了PHP的基本概念和语法,帮助初学者快速掌握这门语言。 1. PHP安装与配置:学习如何在不同的操作系统上安装PHP环境,如Windows下的XAMPP或Linux下的LAMP套件,以及...
- Cookie机制介绍及其在网络爬虫中的作用。 - Web服务器工作原理简述。 #### 五、前端基础知识(第05章) - **章节目标**:让学员掌握前端技术,以便更好地解析网页内容。 - **主要内容**: - HTML/CSS基础知识...
《网络爬虫入门到精通》是一本旨在帮助初学者掌握网络爬虫技术的教程,涵盖了从基础概念到高级技巧的全面知识。网络爬虫,又称网页蜘蛛或数据抓取工具,是自动遍历互联网并抓取信息的程序,广泛应用于数据分析、市场...
《ASP.NET 2.0入门经典》这本书作为一本全面的入门教程,旨在帮助初学者快速掌握ASP.NET 2.0的核心概念和技术。 第一章通常会介绍ASP.NET的基础知识,包括Web应用程序的工作原理、ASP.NET 2.0的主要新特性以及开发...
12. **会话管理**:说明Cookie和Session的工作原理及其在用户认证、状态跟踪等方面的应用。 13. **表单处理与验证**:指导如何设计合理的HTML表单,并利用PHP进行表单数据的验证和处理。 14. **安全性**:强调网络...
本系列课程的第二部分主要聚焦于ASP.NET 2.0的入门与探索,旨在帮助初学者快速掌握这一技术,并逐步提升技能。 首先,让我们来探讨ASP.NET 2.0的核心概念和特性。ASP.NET 2.0引入了大量改进,例如控件事件模型、...
这个教程旨在帮助初学者逐步掌握这两项技术,从基础概念到高级应用,实现从入门到精通的过渡。 ASP.NET 是一个开源的服务器端框架,它允许开发者使用不同的编程语言(如 VB.NET、C#)来创建功能丰富的 Web 应用程序...
《ASP.NET 4.0从入门到精通》这本书由张昌龙和辛永平撰写,旨在帮助初学者和有一定基础的开发者全面掌握ASP.NET 4.0的核心概念和技术。 1. **基础知识**:ASP.NET 4.0基于.NET Framework,所以理解C#或VB.NET编程...
### SSO分布式系统单点登录入门到基础到原理实战 #### 一、SSO(Single Sign-On)概念 SSO,即单点登录(Single Sign-On),是一种基于Web的应用程序认证处理方法。用户只需进行一次身份验证即可访问多个应用系统。...
ASP.NET 4.0 是微软开发...总之,这套ASP.NET 4.0从入门到精通的课件涵盖了从基础到高级的所有核心概念和技术,是初学者全面学习和掌握ASP.NET 4.0的理想资源。通过系统的学习,你将具备开发专业级Web应用程序的能力。