http協議之cookie標準RFC6265介紹

時間 2019-12-06

標籤 http 協議 cookie 標準 rfc6265 rfc 介紹欄目 HTTP/TCP 简体版

原文原文鏈接

cookie是現代web系統開發中很是重要的一個技術，最近對cookie標準RFC6265進行了瞭解，從中選取了部份內容。html

1.cookie的主要做用

由於HTTP協議是無狀態的，對於一個瀏覽器發出的屢次請求，WEB服務器沒法區分是否是來源於同一個瀏覽器。因此，須要額外的數據用於維護會話。 Cookie 正是這樣的一段隨HTTP請求一塊兒被傳遞的額外數據。java

2.cookie的主要做用

除了name、value這兩個必備屬性外，還有下面幾個可選屬性（這些屬性名都是大小寫不敏感的,而且只要設置了瀏覽器是必須處理的），分別控制cookie的生存週期、可見性、安全性。web

2.1） expires：絕對過時時間

若是這個屬性的值不能被轉換爲日期，客戶端會忽略該屬性。當同一個cookie兩次請求的expires值不相同時，新的可能會替換舊的。
If the attribute-value failed to parse as a cookie date, ignore the cookie-av.
If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.
If the expiry-time is earlier than the earliest date the user agent can represent, the user agent MAY replace the expiry-time with the earliest representable date瀏覽器

2.2）Max-Age：相對過時時間,以秒爲單位。若是該屬性的值不是數字，客戶端將不作處理。

If the first character of the attribute-value is not a DIGIT or a "-" character, ignore the cookie-av.
If the remainder of attribute-value contains a non-DIGIT character, ignore the cookie-av.
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.安全

Max-age和expires這兩個屬性控制cookie生命週期。若是兩個都設置了，以Max-Age爲準。 默認狀況下，cookie是暫時存在的，他們存儲的值只在瀏覽器會話期間存在。當瀏覽器推出後，這些值也就丟失了.
If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until "the current session is over" (as defined by the user agent)。服務器

2.3）path：指定了與cookie關聯在一塊兒的網頁，默認狀況下，cookie會和建立它的網頁以及與這個網頁處於同一個目錄下的網頁和處於該目錄的子目錄下的網頁關聯，同時不能用這個屬性來肯定安全性

The scope of each cookie is limited to a set of paths, controlled by the Path attribute. If the server omits the Path attribute, the user agent will use the "directory" of the request-uri’s path component as the default value.
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ("/") character is interpreted as a directory separator.
Although seemingly useful for isolating cookies between different paths within a given host,the Path attribute cannot be relied upon for securitycookie

2.4）domain：若是沒有設置cookie的domain值，該屬性的默認值就是建立cookie的網頁所在的服務器的主機名

If the server omits the Domain attribute, the user agent will return the cookie only to the origin server。但不能將一個cookie的域設置成服務器所在的域以外的域
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com". NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to "public suffixes". For example, some user agents will reject Domain attributes of "com" or "co.uk".
When a user agent receives a Set-Cookie header field in an HTTP response, the user agent MAY ignore the Set-Cookie header field in its entirety. For example, the user agent might wish to block responses to "third-party" requests from setting cookies。網絡

2.5）secure：它指定了在網絡上如何傳輸cookie值。默認狀況下，cookie是不安全的，也就是說，他們是經過一個普通的、不安全的http連接傳輸的。可是若是將cookie標記爲安全的，那麼它將只在瀏覽器和服務器經過https或其餘安全協議連接是才被傳輸。這個屬性只能保證cookie是保密的。

The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)session

2.6）HttpOnly：設爲true後，只能經過http訪問，不能經過document.cookie獲取設定爲httponly的鍵值,防止xss讀取cookie。

httpOnly屬性和secure是獨立的，一個cookie能夠同時設置這兩個屬性。
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts). Note that the HttpOnly attribute is independent of the Secure attribute: a cookie can have both the HttpOnly and the Secure attribute.app

2.7）cookie屬性其餘相關內容

User agents ignore unrecognized cookie attributes (but not the entire cookie).
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value SHOULD encode that data, for example, using Base64 [RFC4648].
To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.
If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie. Notice that servers can delete cookies by sending the user agent a new cookie with an Expires attribute with a value in the past.

3.cookie值在何處設置

一般cookie值是在服務端設置，但也能夠經過js在客戶端設置，另外
3.1）編碼方式（Java中的httpclient包）的http請求能夠直接在請求頭上加入cookie；
3.2）iOS的UIWebview能夠在loadRequest構造帶cookie的reqeust；
3.3）Android的Webview能夠經過CookieManager來設置cookie；

4.cookie如何傳輸及規則

4.1服務端—》客戶端

經過http的response頭，會將服務端設置的全部的cookie都發送到客戶端，發送的內容是cookie的name、value及已設置的所有屬性

4.2cookie屬性其餘相關內容

經過http的request頭，瀏覽器也不是發送它所接收到的全部Cookie，它會檢查當前要請求的域名以及目錄，只要這二項目與Cookie對應的Domain和Path匹配，纔會發送。對於Domain則是按照尾部匹配的原則進行的。發送的內容只有name和value，其餘的屬性是不發送的。
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned.
於是當客戶端發送兩個同名的cookie時，服務端是沒法區分這兩個cookie的歸屬。
Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.

5.cookie是否能夠被截獲

有兩種方法能夠截獲他人的cookie，
5.1）. 經過XSS腳步攻擊，獲取他人的cookie
5.2.）想辦法獲取別人電腦上保存的cookie文件（這個比較難）

6.cookie是否能夠被非法修改

能夠經過一些插件（如edit this cookie）或者其餘技術手段進行修改。Secure屬性也有其侷限性。
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity