`
wuhua
  • 浏览: 2115869 次
  • 性别: Icon_minigender_1
  • 来自: 广州
社区版块
存档分类
最新评论

Cookie 规范

    博客分类:
  • J2ME
阅读更多

INTRODUCTION
Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications.

OVERVIEW
A server, when returning an HTTP object to a client, may also send a piece of state information which the client will store. Included in that state object is a description of the range of URLs for which that state is valid. Any future HTTP requests made by the client which fall in that range will include a transmittal of the current value of the state object from the client back to the server. The state object is called a cookie, for no compelling reason.
This simple mechanism provides a powerful new tool which enables a host of new types of applications to be written for web-based environments. Shopping applications can now store information about the currently selected items, for fee services can send back registration information and free the client from retyping a user-id on next connection, sites can store per-user preferences on the client, and have the client supply those preferences every time that site is connected to.

SPECIFICATION
A cookie is introduced to the client by including a Set-Cookie header as part of an HTTP response, typically this will be generated by a CGI script.
Syntax of the Set-Cookie HTTP Response Header
This is the format a CGI script would use to add to the HTTP headers a new piece of data which is to be stored by the client for later retrieval.
Set-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure

NAME=VALUE
This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required.
This is the only required attribute on the Set-Cookie header.


expires=DATE
The expires attribute specifies a date string that defines the valid life time of that cookie. Once the expiration date has been reached, the cookie will no longer be stored or given out.
The date string is formatted as:

Wdy, DD-Mon-YYYY HH:MM:SS GMT
This is based on RFC 822, RFC 850, RFC 1036, and RFC 1123, with the variations that the only legal time zone is GMT and the separators between the elements of the date must be dashes.
expires is an optional attribute. If not specified, the cookie will expire when the user's session ends.

Note: There is a bug in Netscape Navigator version 1.1 and earlier. Only cookies whose path attribute is set explicitly to "/" will be properly saved between sessions if they have an expires attribute.


domain=DOMAIN_NAME
When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which generated the cookie response.


path=PATH
The path attribute is used to specify the subset of URLs in a domain for which the cookie is valid. If a cookie has already passed domain matching, then the pathname component of the URL is compared with the path attribute, and if there is a match, the cookie is considered valid and is sent along with the URL request. The path "/foo" would match "/foobar" and "/foo/bar.html". The path "/" is the most general path.
If the path is not specified, it as assumed to be the same path as the document being described by the header which contains the cookie.


secure
If a cookie is marked secure, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers.
If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels.

Syntax of the Cookie HTTP Request Header
When requesting a URL from an HTTP server, the browser will match the URL against all cookies and if any of them match, a line containing the name/value pairs of all matching cookies will be included in the HTTP request. Here is the format of that line:
Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...

Additional Notes
Multiple Set-Cookie headers can be issued in a single server response.

Instances of the same path and name will overwrite each other, with the latest instance taking precedence. Instances of the same path but different names will add additional mappings.

Setting the path to a higher-level value does not override other more specific path mappings. If there are multiple matches for a given cookie name, but with separate paths, all the matching cookies will be sent. (See examples below.)

The expires header lets the client know when it is safe to purge the mapping but the client is not required to do so. A client may also delete a cookie before it's expiration date arrives if the number of cookies exceeds its internal limits.

When sending cookies to a server, all cookies with a more specific path mapping should be sent before cookies with less specific path mappings. For example, a cookie "name1=foo" with a path mapping of "/" should be sent after a cookie "name1=foo2" with a path mapping of "/bar" if they are both to be sent.

There are limitations on the number of cookies that a client can store at any one time. This is a specification of the minimum number of cookies that a client should be prepared to receive and store.
300 total cookies
4 kilobytes per cookie, where the name and the OPAQUE_STRING combine to form the 4 kilobyte limit.
20 cookies per server or domain. (note that completely specified hosts and domains are treated as separate entities and have a 20 cookie limitation for each, not combined)
Servers should not expect clients to be able to exceed these limits. When the 300 cookie limit or the 20 cookie per server limit is exceeded, clients should delete the least recently used cookie. When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes.

If a CGI script wishes to delete a cookie, it can do so by returning a cookie with the same name, and an expires time which is in the past. The path and name must match exactly in order for the expiring cookie to replace the valid cookie. This requirement makes it difficult for anyone but the originator of a cookie to delete a cookie.

When caching HTTP, as a proxy server might do, the Set-cookie response header should never be cached.

If a proxy server receives a response which contains a Set-cookie header, it should propagate the Set-cookie header to the client, regardless of whether the response was 304 (Not Modified) or 200 (OK).
Similarly, if a client request contains a Cookie: header, it should be forwarded through a proxy, even if the conditional If-modified-since request is being made.

EXAMPLES
Here are some sample exchanges which are designed to illustrate the use of cookies.
First Example transaction sequence:
Client requests a document, and receives in the response:
Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT
When client requests a URL in path "/" on this server, it sends:
Cookie: CUSTOMER=WILE_E_COYOTE
Client requests a document, and receives in the response:
Set-Cookie: PART_NUMBER=ROCKET_LAUNCHER_0001; path=/
When client requests a URL in path "/" on this server, it sends:
Cookie: CUSTOMER=WILE_E_COYOTE; PART_NUMBER=ROCKET_LAUNCHER_0001
Client receives:
Set-Cookie: SHIPPING=FEDEX; path=/foo
When client requests a URL in path "/" on this server, it sends:
Cookie: CUSTOMER=WILE_E_COYOTE; PART_NUMBER=ROCKET_LAUNCHER_0001
When client requests a URL in path "/foo" on this server, it sends:
Cookie: CUSTOMER=WILE_E_COYOTE; PART_NUMBER=ROCKET_LAUNCHER_0001; SHIPPING=FEDEX
Second Example transaction sequence:
Assume all mappings from above have been cleared.

Client receives:
Set-Cookie: PART_NUMBER=ROCKET_LAUNCHER_0001; path=/
When client requests a URL in path "/" on this server, it sends:
Cookie: PART_NUMBER=ROCKET_LAUNCHER_0001
Client receives:
Set-Cookie: PART_NUMBER=RIDING_ROCKET_0023; path=/ammo
When client requests a URL in path "/ammo" on this server, it sends:
Cookie: PART_NUMBER=RIDING_ROCKET_0023; PART_NUMBER=ROCKET_LAUNCHER_0001
NOTE: There are two name/value pairs named "PART_NUMBER" due to the inheritance of the "/" mapping in addition to the "/ammo" mapping.

分享到:
评论
1 楼 longzy 2009-06-18  
建议以后贴翻译或者自己的解释。-_-

相关推荐

    COOKIE 规范COOKIE 规范

    ajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajaxajax

    cookie 详解

    - **解释**:根据Cookie规范,浏览器只会将特定域名下的Cookie发送回该域名的服务器。这意味着,当用户访问Google时,只会携带Google颁发的Cookie;同样地,访问Baidu时,只会携带Baidu颁发的Cookie。 - **安全性和...

    Cookie详解[定义].pdf

    - **RFC2109**:W3C发布的第一个官方Cookie规范,但过于严格,导致一些服务器不完全遵循或使用Netscape草案。 - **RFC2965**:定义了Cookie版本2,改进了RFC2109,但实际应用并不广泛。 6. **兼容性和安全性**: ...

    discuz与java通过cookie共享登陆

    2. **创建共同的Cookie标准**:定义一套共同的Cookie规范,包括Cookie的名字、过期时间、安全属性等,确保两个系统都能识别和处理。 3. **在Discuz登录成功后,将登录信息编码成Cookie**:当用户在Discuz成功登录后...

    cookie原理解析

    根据 Cookie 规范,浏览器访问 Google 只会携带 Google 的 Cookie,而不会携带 Baidu 的 Cookie。Google 也只能操作 Google 的 Cookie,而不能操作 Baidu 的 Cookie。这是为了保证用户的隐私安全。浏览器判断一个...

    移动梦网wapye业务规范

    2.6 CACHE与COOKIE规范:规定了如何处理缓存和Cookie,以避免过时信息的传播和隐私泄露问题。 第三章 业务内容规范 3.1 内容来源:明确了内容必须来自合法授权的源头,确保版权合规。 - 其他内容规范包括但不限于:...

    java http 操作cookies

    `CookieSpecRegistry`和`CookieSpecs`允许自定义Cookie规范。 在实际开发中,还需要注意Cookie的安全性和隐私问题,如限制Cookie的传输范围,避免敏感信息泄露,以及遵循欧盟的Cookie法规等。 总之,Java提供了...

    网上搜集的各种关于java技术的文章

    这个压缩包包含了多个与Java技术相关的文章,包括对J2EE的理解、基础类型如int和String的互转方法、CORBA技术的实例以及Web开发中的Cookie规范和EJB(Enterprise JavaBeans)内部资源的介绍。 1. J2EE技术:J2EE...

    7、会话跟踪技术.doc

    2. **Cookie规范** - **大小限制**:每个Cookie的大小不能超过4KB。 - **数量限制**:一个服务器在客户端最多可存储20个Cookie,而一个浏览器最多能存储300个Cookie。 - **浏览器间不共享**:不同浏览器各自保存...

    cookie接口 实现本地或客户端的cookie的创建和读取

    在提供的压缩包文件`cookies`中,可能包含了一个接口(定义了Cookie操作的规范),一个实现类(实现了接口中的方法),以及一个测试类(用于测试接口和实现类的功能)。通过查看和运行这些代码,你可以更深入地理解...

    httpclient-tutorial

    - Cookie规范:Cookie操作的规范说明。 - HTTP Cookie和状态管理参数:配置管理HTTP状态的参数。 - Cookie规范注册表:注册特定的Cookie处理规则。 - 选择Cookie策略:根据需求选择合适的Cookie处理策略。 - ...

    HttpClient 4.0中文教程

    - **Cookie版本**: 支持不同版本的Cookie规范,如Version 0、Version 1等。 - **Cookie规范**: 规定了Cookie的生命周期、作用域等属性。 - **状态管理参数**: 可以设置与状态管理相关的参数,如Cookie的存储位置等。...

    httpclient4中文文档

    - Cookie规范: 描述了Cookie的工作原理及其使用规则。 - Cookie持久化: 如何存储和读取Cookie信息。 **3.2 Cookie规范** - Cookie规范的具体细节及其对HTTP状态管理的影响。 **3.3 HTTPcookie和状态管理参数** -...

    httpclient-tutorial.pdf

    Cookie规范:涉及Cookie的详细规格说明。 3.3. HTTP Cookie和状态管理参数:介绍如何管理HTTP Cookie以及与状态管理相关的参数。 3.4. Cookie规范注册:介绍如何注册Cookie规范。 3.5. Cookie策略选择:讲解如何...

    jsp中cookie操作

    根据Netscape制定的规范,Cookie分为两个版本: - **版本0**:这是最初的版本,大多数浏览器都支持。Java只支持版本0的Cookie,不支持版本1。 - **版本1**:基于RFC 2109的标准,与版本0相比有较多改进,但在实际...

    c#封装的cookie操作类

    以上就是关于"C#封装的cookie操作类"的相关知识点,通过这样的封装,可以使得Web应用程序对Cookie的管理和使用更加便捷、规范,提高代码的可复用性和可维护性。在实际项目中,还可以根据需求扩展更多功能,如删除...

    js读写(删除)Cookie实例详解

    该函数首先创建一个Date对象,并设置为当前时间加上Days天数后的时间点,然后通过构造一个符合Cookie规范的字符串,并赋值给document.cookie来完成设置。 其次,读取Cookie相对复杂一些,因为document.cookie只返回...

    httpclient-tutorial-simplified-chinese

    **3.4 Cookie 规范注册表**:管理不同版本的Cookie规范。 **3.5 选择 cookie 策略**:决定客户端如何处理Cookie。 **3.6 定制 cookie 策略**:允许开发者定义自己的Cookie处理逻辑。 **3.7 Cookie 持久化**:将...

    cookie机制

    - **version**:Cookie使用的版本号,0代表Netscape规范,1代表W3C规范。 ### Cookie的有效期 Cookie的有效期由`maxAge`属性定义,它可以设置为一个正数、负数或零: - **正数**:表示Cookie在`maxAge`秒之后失效...

Global site tag (gtag.js) - Google Analytics