Cookie 浅谈

随记Cookie

先看源码

/**
 *
 * Creates a cookie, a small amount of information sent by a servlet to 
 * a Web browser, saved by the browser, and later sent back to the server.
 * A cookie's value can uniquely 
 * identify a client, so cookies are commonly used for session management.
 * 
 * <p>A cookie has a name, a single value, and optional attributes
 * such as a comment, path and domain qualifiers, a maximum age, and a
 * version number. Some Web browsers have bugs in how they handle the 
 * optional attributes, so use them sparingly to improve the interoperability 
 * of your servlets.
 *
 * <p>The servlet sends cookies to the browser by using the
 * {@link HttpServletResponse#addCookie} method, which adds
 * fields to HTTP response headers to send cookies to the 
 * browser, one at a time. The browser is expected to 
 * support 20 cookies for each Web server, 300 cookies total, and
 * may limit cookie size to 4 KB each.
 * 
 * <p>The browser returns cookies to the servlet by adding 
 * fields to HTTP request headers. Cookies can be retrieved
 * from a request by using the {@link HttpServletRequest#getCookies} method.
 * Several cookies might have the same name but different path attributes.
 * 
 * <p>Cookies affect the caching of the Web pages that use them. 
 * HTTP 1.0 does not cache pages that use cookies created with
 * this class. This class does not support the cache control
 * defined with HTTP 1.1.
 *
 * <p>This class supports both the Version 0 (by Netscape) and Version 1 
 * (by RFC 2109) cookie specifications. By default, cookies are
 * created using Version 0 to ensure the best interoperability.
 *
 *
 * @author	Various
 */

// XXX would implement java.io.Serializable too, but can't do that
// so long as sun.servlet.* must run on older JDK 1.02 JVMs which
// don't include that support.

public class Cookie implements Cloneable {

    private static final String LSTRING_FILE =
	"javax.servlet.http.LocalStrings";
    private static ResourceBundle lStrings =
	ResourceBundle.getBundle(LSTRING_FILE);
    
    //
    // The value of the cookie itself.
    //
    
    private String name;	// NAME= ... "$Name" style is reserved
    private String value;	// value of NAME

    //
    // Attributes encoded in the header's cookie fields.
    //
    
    private String comment;	// ;Comment=VALUE ... describes cookie's use
				// ;Discard ... implied by maxAge < 0
    private String domain;	// ;Domain=VALUE ... domain that sees cookie
    private int maxAge = -1;	// ;Max-Age=VALUE ... cookies auto-expire
    private String path;	// ;Path=VALUE ... URLs that see the cookie
    private boolean secure;	// ;Secure ... e.g. use SSL
    private int version = 0;	// ;Version=1 ... means RFC 2109++ style
    
    

第一 与Session的比较
十年前还单机处理业务，集群还不多的时候，Session用的还比较多，现在随便个服务都集群部署，考虑到多节点内存同步，都不太使用session。http是无状态的，保留用户信息用，采用session会话。网上资料太多，不再赘述。

第二 API
太简单，不再赘述

第二 属性信息
属性：name value
有人把cookie理解成map，name 相当key， value 相当 map里的value.
但本身Cookie是个数组。是个Cookie[]
所以这个key是可以重复的。但又经常把cookie当成map使用，所以建议把cookie操作封装下。

属性 comment
就是存储key value 的描述。没什么特别的。

属性 maxAge
cookie的生命周期，默认-1,即关闭浏览器，cookie失效。
单位是??，大于零，即使cookie关闭，cookie依然生效。

属性 version
int ASSIC 数值，准照RFC 标准。
RFC文件是纯ASCII文字档格式
RFC https://zh.wikipedia.org/wiki/RFC#RFC.E6.96.87.E4.BB.B6.E7.9A.84.E6.9E.B6.E6.A7.8B

属性 path
不瞎逼逼了，附上源码描述把
  

  * Specifies a path for the cookie
     * to which the client should return the cookie.
     *
     * <p>The cookie is visible to all the pages in the directory
     * you specify, and all the pages in that directory's subdirectories. 
     * A cookie's path must include the servlet that set the cookie,
     * for example, <i>/catalog</i>, which makes the cookie
     * visible to all directories on the server under <i>/catalog</i>.
     *
     * <p>Consult RFC 2109 (available on the Internet) for more
     * information on setting path names for cookies.

最后讲的属性 domain
参考文档：http://blog.csdn.net/alexxu1988/article/details/47805205

     * Specifies the domain within which this cookie should be presented.
     *
     * <p>The form of the domain name is specified by RFC 2109. A domain
     * name begins with a dot (<code>.foo.com</code>) and means that
     * the cookie is visible to servers in a specified Domain Name System
     * (DNS) zone (for example, <code>www.foo.com</code>, but not 
     * <code>a.b.foo.com</code>). By default, cookies are only returned
     * to the server that sent them.

domain的知识点比较多。

最后一点
cookie 是不安全的
cookie是可以篡改，模拟的。因为是在客户端，之前我本地模拟了A站点的cookie, 用这个cookie是可以直接供真正的A站点使用的。那为什么还要用cookie.方便呀。
建议cookie存放的信息不是敏感信息，像密码这类东西就不要考虑放到cookie.存放的token 后台也要加个校验。cookie攻击的技术门槛是很低的。