zoukankan      html  css  js  c++  java
  • Using HTTP cookies

    Using HTTP cookies

       An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it is used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

    Cookies are mainly used for three purposes:

    Session management

    Logins, shopping carts, game scores, or anything else the server should remember

    Personalization

    User preferences, themes, and other settings

    Tracking

    Recording and analyzing user behavior

    Cookies were once used for general client-side storage. While this was legitimate when they were the only way to store data on the client, it is now recommended to use modern storage APIs. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API (localStorage and sessionStorage) and IndexedDB.

    Note: To see stored cookies (and other storage that a web page can use), you can enable the Storage Inspector in Developer Tools and select Cookies from the storage tree.

    Restrict access to cookies

    There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the Secure attribute and the HttpOnly attribute.

    A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can't easily be accessed by a man-in-the-middle attacker. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute. However, do not assume that Secure prevents all access to sensitive information in cookies; for example, it can be read and modified by someone with access to the client's hard disk (or JavaScript if the HttpOnly attribute is not set).

    A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.

    Here is an example:

    Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
    

    127.0.0.1和localhost都不会受到secure的影响,但是局域网ip是会受到影响,比如172.16.210.99。服务器不会通过http下发secure的cookie。

     但是微软的FormsAuthentication,对localhost和127.0.0.1有点特殊,虽然cookie正常下发。在request的时候,也会附带上forms authentication的cookie,但是asp.net本身不会去解析对应的cookie.

  • 相关阅读:
    1107 Social Clusters (30)
    1066 Root of AVL Tree (25)
    1099 Build A Binary Search Tree (30)
    1064 Complete Binary Search Tree (30)
    1043 Is It a Binary Search Tree (25)
    Hadoop学习总结(1)——大数据以及Hadoop相关概念介绍
    MyBatis学习总结(10)——批量操作
    MyBatis学习总结(10)——批量操作
    Java基础学习总结(23)——GUI编程
    Java基础学习总结(23)——GUI编程
  • 原文地址:https://www.cnblogs.com/chucklu/p/15237653.html
Copyright © 2011-2022 走看看