What is a cookie
- A cookie is a small text file stored on the user’s computer by the browser
- Cookies are in plain text format and do not contain any executable code
- A web page or server tells the browser to store cookies in accordance with certain specifications, and sends this information to the server in subsequent requests
- The web server can identify different users by using this information
- Most websites that require login will set a cookie after the user is successfully authenticated
- As long as the cookie exists and is legal, the user can freely browse any page of the website
Create cookie
== HTTP Response Set-Cookie: value[; expires=date][; domain=domain][; path=path][; secure] == HTTP Request Cookie: value
The web server creates a cookie by sending an HTTP header called Set-Cookie
value: usually in the format of name=value
The options specified by Set-Cookie will only be used on the browser side and will not be sent to the server again
The cookie will be sent to the server in each subsequent request, stored in the HTTP header named Cookie, and will only contain the value of the cookie
The cookie sent to the server is exactly the same as the value specified by Set-Cookie, and there will be no further analysis or transcoding operation
Cookie encoding
RPC specification: only three characters (semicolon, comma, space) must be encoded
Almost all implementations perform a series of URL encoding on the value of Cookie
For the name=value format, the name and value are usually encoded separately, and the = is not encoded
Cookie expires
Specify when it will no longer be sent to the server, and then the browser will delete the cookie
Format: Wdy, DD-Mon-YYYY HH:MM:SS GMT
If the expires option is not set, the life cycle of the cookie is limited to the current session, and closing the browser means the end of the session
If expires is set to a point in time in the past, then the cookie will be deleted immediately
domain-tail match
Specifies the domain to which the cookie will be sent
By default, domain will be set to the domain of the page where the cookie is created, so when a request is sent to the same domain name, the cookie will be sent to the server
yahoo.com, a.yahoo.com, b.yahoo.com
If the cookie domain is set to yahoo.com, then the cookie can be sent to yahoo.com, a.yahoo.com, b.yahoo.com
The browser will match the domain value with the requested domain name at the end, and the cookie will be sent to the server only if the match is successful
The value of domain must be part of the host name of the Header that sends the Set-Cookie. Illegal domains will be ignored directly
path-head matching
Cookie is sent only when the specified path must exist in the requested resource URL
Match the value of the path option with the header of the requested URL, and only send the Cookie when the match is successful
Set-Cookie: name=zhongmingmao; path=/x, the path matches /x and /xy
Default value of path: the path part of the URL corresponding to the Header sending Set-Cookie
Verification order: domain -> path
Cookie secure
This option is just marked with no value
Only when a request is created via SSL or HTTPS, the cookie containing the secure option can be sent to the server
This type of cookie generally has a high value, and may be tampered with when transmitted via HTTP
But because the entire cookie mechanism is insecure, confidential information should not be stored or transmitted in the cookie
By default, cookies transmitted on HTTPS links will be automatically added with the secure option