Shulou(Shulou.com)06/01 Report--

This article introduces you how to understand the client and server cookie, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Get to know cookie part I: summary

Cookie is an early (and still widely used) client-side storage mechanism where cookie data is transferred between Web browsers and Web servers, because early cookie was designed for server scripts, so server-side scripts can read and write values of cookie stored on the client. It is worth noting that any value stored in cookie, regardless of whether the server needs it or not, each HTTP request transfers this data (cookie data) to the server. However, the storage capacity of cookie is small and generally does not exceed 4kb, that is, 4096 bytes. Due to the weak storage capacity, WebStorage is now more popular.

Cookie is a file created by a visited website that stores browser information, such as personal data.

Disadvantages of cookie:

Data storage size: 4kb, as a data storage container, but only 4kb, for the current slightly more complex pages, cookie is not enough.

Security issues: cookie is passed in clear text in HTTP (HTTPs is not, this is related to the protocol, has nothing to do with the cookie itself), so this is very insecure.

Network burden: it was mentioned earlier that cookie is passed between web browsers and servers along with HTTP requests, which is a waste of bandwidth.

HTTP Cookie, usually called cookie directly, requires the server to use Set-Cookie as part of the response, which contains session information. The first field of the server response message may be as follows, with the name of name and the value of value, which requires the client to send the cookie value of the key name name as follows:

HTTP/1.1 200 OKContent-type: Text/htmlSet-Cookie: name=valueOther-header: other-header-value

Then the request on the browser side looks like this:

GET / index.html HTTP/1.1Cookie: name=valueOther-header: other-header-value

That is, the value of name required by the server is sent to the server.

Sending cookie to the server allows the server to know more about this user.

Note: each cookie has the following format: =; the name and value must be legal identifiers.

Note: there is a validity period for cookie. By default, the declaration period of cookie ends when the browser is closed. If you want to make cookie available after the browser is closed, set the validity period for cookie, that is, the effective date of cookie.

Part II: cookie View

We can use console.log (window.navigator.cookieEnabled) to see if the cookie function of our own browser is turned on, which returns a Boolean value, which means it is turned on if it is true.

If you turn on "prevent the site from setting any data" in the content settings of chrome so that we use the code above, we can see that the cookie feature is turned off, that is, false. At this point, the client will no longer store any cookie.

Cookie is actually string information that is placed on the client's computer and used to pass information between the client computer and the server. We can use alert (typeof [xss_clean]) to detect

In JavaScript, you can read or set this information through [xss_clean]. Because cookie is mostly used to transfer information between the client and the server, in addition to JavaScript, server-side languages such as PHP can also access cookie.

Since cookie is ultimately stored on the client as a file, it is very convenient to view and modify cookie, which is why it is often said that cookie cannot store important information.

Part III: some restrictions on cookie

Cookie has the concept of domain and path. Domain is the concept of domin, because the browser is a secure environment, so the domains must not be able to access cookie each other (of course, it can be done by cross-domain way to jsonp), the path is the concept of routing, the cookie created by a web page can only be accessed by web pages in the same directory or subdirectory with this web page, but not by web pages in other directories.

Part IV: Cookie FAQ

There are two types of cookie

The cookie of the current website settings you are browsing.

Third-party cookie from other domain sources such as embedded ads or pictures on the web page (the website can track your usage information by using these cookie)

The declaration cycle of Cookie can be roughly divided into two states:

One: temporary cookie, the website will store some of your personal information during the current use, which will not be used later, so the information will be deleted from the computer after the browser is closed.

Second: set the expiration time of the cookie, such as your user name and password through the cookie Lee record, so that you do not have to enter your own login but directly log in. Can be set to retain a few days, dozens of days, and so on.

Two ways to clear Cookie

Clear from the browser's own settings

By setting the validity period of cookie

Description: deleting cookie may cause some web pages to fail to function properly (for example, if I turn off the cookie function, the blog post I am writing now cannot be submitted properly)

Browsers can set up to accept or deny access to cookie, for performance and functional considerations, to minimize the number of cookie use.

If it is a page on the local disk, the console of chrome cannot read and write cookie with JavaScript, the solution. Change to another browser ^ _ ^.

Part V: basic usage of cookie

1. Simple access operation

When using js to access cookie, you must use the cookie property of document, as follows:

[xss_clean] = 'username=zzw'

Note: where username is the name of cookie, and zzw is the corresponding value of this name. Assuming that the cookie name does not exist, a new cookie; is created, and if it does, the value corresponding to the cookie name is modified. If you want to create a cookie multiple times, you can reuse this method.

We can also use [xss_clean] .length to see how many pairs of such cookie there are.

Second, the read operation of cookie

The following code is an example on w3school

Function getCookie (c_name) {if ([xss_clean] .length > 0) {/ / first query whether cookie is empty. If it is empty, check whether the cookie exists through the indexOf () of the String object. Return "" clockstart = [XSS _ clean] .indexOf (c_name + "=") / If it doesn't exist, it's-1 if. {c_start=c_start + c_name.length+1 / / the last + 1 actually means the "=" sign, so you get the starting position of the cookie value: [XSS _ clean] .indexOf (" ", c_start) / / in fact, I was a little dizzy when I saw the second parameter of indexOf (), and then I remembered that it indicated the specified location to start the index. This sentence is to get the end position of the value. Because you need to consider whether it is the last item, you can determine whether or not the ";" sign exists to determine if (c_end==-1) cendend = [XSS _ clean] .length return unescape ([xss_clean] .substring (centering start and cending end)) / / the value is obtained through substring (). If you want to understand unescape (), you have to know what escape () does, which is a very important foundation. If you want to know, you can search for it and explain the details of cookie coding}} return ""} at the end of the article.

You can see that this is actually an operation on a string.

3. Set the validity period of cookie

By default, cookie works when the browser is closed, but we can set the validity period in the following ways:

[xss_clean] = "name=value;expires=date"

The above data value is a date string of GMT time (Greenwich mean time), which is generated as follows:

Var _ date = new Date ()

_ date.setDate (_ date.getDate () + 30)

_ data.toGMTString ()

Run directly on the local machine and the result is: "Fri, 21 Apr 2017 19:21:11 GMT"

We can set the validity time of cookie to 30 days by + 30. Note: use of setDate and getDate.

Part VI: the concept of Cookie path

By default, only pages in the same directory or subdirectory as the page that created the cookie can be accessed. Because of security considerations, not all pages can access the cookie created by other pages at will.

For example: create a cookie in the "http://www.cnblogs.com/Darren_code/"" page, then the page under the "/ Darren_code/" path such as: "http://www.cnblogs.com/Darren_code/archive/2011/11/07/Cookie.html" this page can get the cookie information by default, because this page is the page under the subdirectory of the above path. Because "http://www.cnblogs.com" or" http://www.cnblogs.com/xxxx/" is not in the same directory, you cannot access cookie.

Part VII: Cookie security

As mentioned earlier, cookie can be seen in messages and local files, so it is not safe to store important information. But the content transmitted in cookie is very important, so it is necessary to transmit data in an encrypted way.

That is, if the property name of cookie is secure and the default value is empty, data will be transferred between it and the server through https or other security protocols, as follows:

[xss_clean] = "username=zzw;secure"

It is worth noting that this only ensures that the data transfer between the cookie and the server is encrypted, but the local files are still not encrypted. So it's easy to see the local cookie.

Part 8: cookie coding details

You cannot enter cookie information with special symbols such as spaces, semicolons, commas, and so on. In general, cookie is uncoded. Therefore, you should use the escape () function to encode the cookie before setting up the cookie, and use the unescapse () function to convert the value back when you get the cookie.

On how to understand the client and server cookie to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.