[Web]HTTP cookies

Using HTTP cookies

閱讀

資料來源︰

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

http cookie是從server端發送到user端的瀏覽器的一小段data。瀏覽器會儲存它並將它和以後的requests一起發送回同一的server端。一般來說，它是被用來判斷兩個requests是否來自同一個瀏覽器---保持用戶登入狀。舉例來說，他在stateless http protocol 記住 stateful information。

Cookie主要有3個目的︰

Session management 通訊管理

    Logins, shopping carts, game scores, or anything else the server should remember

Personalization 個性化

    User preferences, themes, and other settings

Tracking 追蹤

    Recording and analyzing user behavior 記錄與分析用戶行為

Creating cookies

After receiving an HTTP request, a server can send a Set-Cookie header with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a Cookie HTTP header. An expiration date or duration can be specified, after which the cookie is no longer sent. Additional restrictions to a specific domain and path can be set, limiting where the cookie is sent. For details about the header attributes mentioned below, refer to the Set-Cookie reference article.

當收到HTTP請求後，sever端可以隨著response傳送一個"Set-Cookie" Header. Cookie通常都會被存放在browser，然後將Cookie與請求一起發送到Cookie HTTP標頭中的同一服務器。Expiration date 到期日 及 duration 持續時間可以被指定，之後再不發送Cookie.可以設置對特定域和路徑的其他限制，從而限制cookie的發送位置。

The Set-Cookie and Cookie headers

The Set-Cookie HTTP response header sends cookies from the server to the user agent. A simple cookie is set like this:

Server端發送到User端的Cookie:

Set-Cookie: <cookie-name>=<cookie-value>

This shows the server sending headers to tell the client to store a pair of cookies:

HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry

[page content]

Then, with every subsequent request to the server, the browser sends back all previously stored cookies to the server using the Cookie header.

然後，隨著對服務器的每個後續請求(User端的請求)，瀏覽器使用Cookie Header 將所有以前存儲的cookie發送回服務器。

GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=choco; tasty_cookie=strawberry

Note: Here's how to use the Set-Cookie header in various server-side applications:

• PHP
• Node.JS
• Python
• Ruby on Rails

Define the lifetime of a cookie

定義Cookie的Lifetime

The lifetime of a cookie can be defined in two ways:

• Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting, which can cause session cookies to last indefinitely long.
• current session結束時，將刪除Session cookies。瀏覽器定義“current session"的結束時間，並且某些瀏覽器在重新啟動時使用session restoring，這可能導致 session cookies 無限期地持續。
• Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.
• 可以使用Expires或Max-Age定義時間

For example:

Set-Cookie: id=a3fWa; Expires=Wed, 31 Oct 2021 07:28:00 GMT;

Restrict access to cookies

限制cookies的存取︰

There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the Secure attribute and the HttpOnly attribute.

可以使用Secure and the HttpOnly 兩個屬性去確保cookies安全地傳送和不會被意外的參與者存取。

A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP, and therefore can't easily be accessed by a man-in-the-middle attacker. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute. However, do not assume that Secure prevents all access to sensitive information in cookies; for example, it can be read by someone with access to the client's hard disk.

Secure屬性使cookies只會在被加密的請求 - HTTPS protocol 下傳送，不會使用未安全的HTTP，所以不容易被攔截攻擊存取到。不安全的網站不可設定cookies是Secure屬性(URL有http:)。然而，不要以為Secure可以防止對cookies中的敏感信息的所有訪問，例如可以透過存取client硬碟去獲取。

A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.

JavaScript Document.cookie API無法訪問具有HttpOnly屬性的cookie。 它只會發送到Server。 例如，persist server-side sessions 的cookie不需要對JavaScript可用，而應具有HttpOnly屬性。 此預防措施有助於減輕跨站點腳本（XSS）攻擊。

Here is an example:

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly