combined with the Referer header, to potentially build an exhaustive data set of user profiles and b

w

https://www.zhihu.com/question/35307626

 

w

0-客戶端（附加用戶信息）首次請求服務端---》服務端生成session（有惟一性）、session_id，cookie（可能含有用戶名、登陸密碼、瀏覽歷史），而且設定cookie的生命週期、適用域名、適用域名下的路徑

1-上述客戶端（附加用戶信息）再次請求服務端
1-0-客戶端禁用cookie，客戶端頁面跳轉或者post/get至服務端時，會同時request session_id至服務端
1-1-客戶端不由用cookie，此時客戶端不向服務端傳送session_id，客戶端僅發送cookie
：不管客戶端是否禁用cookie,服務端均可以成功識別客戶端

客戶端，不單單限於瀏覽器？qq PC mobile 聊天的歷史列表

發問：

客戶端存儲路徑：瀏覽器內存、硬盤，誰決定的？

 

 

 

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en 

w

-1-cookie服務於session，用於標識客戶端請求者；

0-cookie由服務端產生，送至客戶端；

1-客戶端瀏覽器

　　1-0-容許

　在瀏覽器所耗內存或硬盤存儲cookie；

　　1-1-拒絕

則服務端在響應客戶端請求時，將session_id返回客戶端，而客戶端再次請求時，將session_id附加到請求中；

2-服務端在識別客戶端請求者的同時，能夠存儲請求者信息，如登陸賬名、貨品瀏覽記錄等：能夠直接存儲到cookie中，也能夠直接存儲到服務端文件、數據庫中。

3-服務端決定客戶端cookie生命週期、可用域名、可用路徑，而客戶端瀏覽器存儲cookie是在關閉瀏覽器即消失瀏覽器所耗的內存中，或是硬盤中：這個哪一個因素決定的？

 

w

HTTP The Definitive Guide

11.6.4 Different Cookies for Different Sites
A browser can have hundreds or thousands of cookies in its internal cookie jar, but browsers don't
send every cookie to every site. In fact, they typically send only two or three cookies to each site.
Here's why:
•

Moving all those cookie bytes would dramatically slow performance. Browsers would
actually be moving more cookie bytes than real content bytes!
•

Most of these cookies would just be unrecognizable gibberish for most sites, because they
contain server-specific name/value pairs.
•

Sending all cookies to all sites would create a potential privacy concern, with sites you don't
trust getting information you intended only for another site.
In general, a browser sends to a server only those cookies that the server generated. Cookies generated
by joes-hardware.com are sent to joes-hardware.com and not to bobs-books.com or marys-
movies.com.
Many web sites contract with third-party vendors to manage advertisements. These advertisements are
made to look like they are integral parts of the web site and do push persistent cookies. When the user
goes to a different web site serviced by the same advertisement company, the persistent cookie set
earlier is sent back again by the browser (because the domains match). A marketing company could
use this technique, combined with the Referer header, to potentially build an exhaustive data set of user profiles and browsing habits. Modern browsers allow you to configure privacy settings to restrict
third-party cookies.

 

11.6.4.1 Cookie Domain attribute A server generating a cookie can control which sites get to see that cookie by adding a Domain attribute to the Set-Cookie response header. For example, the following HTTP response header tells the browser to send the cookie user="mary17" to any site in the domain .airtravelbargains.com: Set-cookie: user="mary17"; domain="airtravelbargains.com" If the user visits www.airtravelbargains.com, specials.airtravelbargains.com, or any site ending in .airtravelbargains.com, the following Cookie header will be issued: Cookie: user="mary17" 11.6.4.2 Cookie Path attribute The cookie specification even lets you associate cookies with portions of web sites. This is done using the Path attribute, which indicates the URL path prefix where each cookie is valid. For example, one web server might be shared between two organizations, each having separate cookies. The site www.airtravelbargains.com might devote part of its web site to auto rentals—say, http://www.airtravelbargains.com/autos/—using a separate cookie to keep track of a user's preferred car size. A special auto-rental cookie might be generated like this: Set-cookie: pref=compact; domain="airtravelbargains.com"; path=/autos/ If the user goes to http://www.airtravelbargains.com/specials.html, she will get only this cookie: Cookie: user="mary17" But if she goes to http://www.airtravelbargains.com/autos/cheapo/index.html, she will get both of these cookies: Cookie: user="mary17" Cookie: pref=compact So, cookies are pieces of state, slapped onto the client by the servers, maintained by the clients, and sent back to only those sites that are appropriate. Let's look in more detail at the cookie technology and standards.