Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "introduction to HTTP Cookie state management mechanism". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

HTTP cookies, often referred to as "cookies", has existed for a long time, but it is still not fully understood. The first problem is that there are many misunderstandings that cookies is a backdoor or virus, or have no idea how it works. The second problem is the lack of a consistent interface for cookies. Despite these problems, cookies still plays such an important role in web development that if cookie disappears without alternatives, many of our favorite Web applications will become useless.

I. Origin of cookie

Cookie was first invented by Lou Montulli, an employee of Netscape in March 1993, and then adopted by W3C. At present, cookie has become a standard, and all mainstream browsers such as IE, Chrome, Firefox, Opera and so on support it.

The birth of cookie is due to the inherent defects of the HTTP protocol. HTTP is a stateless protocol. Once the request / response of simple Request and Response ends, the connection between the client and the server will be closed, and a new connection needs to be established to exchange data again. This means that the server cannot track the session from the connection, that is, the server does not know which client it is.

Some typical applications such as login / shopping cart cannot be implemented. For example, the items purchased by user An in the mall should be placed in A's shopping cart. No matter when user A buys them, they all belong to the same session and cannot be placed in the shopping cart of user B or user C. this does not belong to the same session.

The basic principles are shown in the diagram.

II. Cookie operation

The operations on cookie include the following

1. Name (Name)

two。 Value (Value)

3. Domain (Domain)

4. Path (Path)

5. Expiration date (Expires)

6. Safety sign (Secure)

7.HttpOnly (server side only)

Note that cookie is created most of the time on the server side, and JS can also create cookie, but JS of type HttpOnly cannot be created.

The cookie API ([xss_clean]) provided by the browser is so crude that it can be slightly packaged. For example, the cookie function in setter/getter mode is much more convenient.

/ * * JS write cookie and read cookie operations * * take cookie*** cookie (name) * write cookie*** cookie (name, value) * cookie (name, value, option) * / var cookie = function (name, value) Option) {var doc = documentif (value! = undefined) {/ / set option = option | {} if (value = null) {value =''option.expires =-1} var expires =''if (option.expires & & (typeof option.expires = = 'number' | | option.expires.toUTCString)) {var date = new Dateif (typeof option.expires = =' number') {date.setTime (date.getTime () + (option.expires * 24 * 60 * 60 * 1000))} else {date = option.expires} / / for IEexpires =' Expires=' + date.toUTCString ()} var path= option.path?; path=' + option.path:''var domain= option.domain?'; domain=' + option.domain:''var secure = option.secure?' Secure':''doc.cookie = [name,' =', encodeURIComponent (value), expires, path, domain, secure] .join ('')} else {/ / get var cookieValue = nullif (doc.cookie & & doc.cookie! ='') {var cookies = doc.cookie.split (';') for (var I = 0; I

1) {try {cookieValue = decodeURIComponent (cookie [1])} catch (e) {cookieValue = cookie [1]} break} return cookieValue}}

Of course, there is a more convenient https://github.com/florian/cookie.js that provides more convenient functions.

III. Cookie type

1. Ordinary cookie, both server and JS can be created, and JS can visit

2.HttpOnly cookie can only be created by the server. JS cannot be read. It is mainly based on security considerations.

3. Secure cookie (https only), both server and JS can be created, and JS can only be accessed under HTTPS

For example, on the test page on Sina Cloud: http://snandy.sinaapp.com/php/cookie.php, I planted three cookie, which are C1, c2 and c3.

D1 = mktime (1d1); / / ordinary cookiesetcookie ("C1", "Jack", $D1); / / secure cookie, only https, 6th parameter setcookie ("c2", "John", $D1, NULL, NULL, TRUE); / / HttpOnly cookie 7th parameter setcookie ("c3", "Resig", $D1, NULL, TRUE)

Access with Firefox

I have all three. Saeut is from Sina Cloud.

Enter [xss_clean] in the firebug console

As you can see, c2 and c3 are not accessible. It should be noted that c2 is a secure cookie and needs to be accessed under the https protocol, while c3 is httpOnly and JS cannot be accessed.

Change the access protocol to https: https://snandy.sinaapp.com/php/cookie.php https://snandy.sinaapp.com/php/cookie.php firebug, switch to the console and type [xss_clean], you can see c2 to access it.

IV. Cookie's pit

1. Page access error occurs when the Cookie is too large or too many, for example, the following prompt appears

Therefore, the cookie of the site needs to be managed, and cookie can not be planted at will. In addition, try to specify path to limit the cookie to the specified range.

Website browsercookielimits.squawky.net, recording the cookie size of each browser

two。 Unicode code (encodeURIComponent) is required when saving Chinese, otherwise the code is garbled.

This is the end of the introduction to HTTP Cookie state management mechanism. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.