http cookie

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing.

Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past).

They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

 

Other kinds of cookies perform essential functions in the modern web.

Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with.

Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in.

The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted.

Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs (see cross-site scripting and cross-site request forgery for examples).

 

The tracking cookies, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals' browsing histories – a potential privacy concern that prompted European^[2] and U.S. lawmakers to take action in 2011.^[3][4] European law requires that all websites targeting European Union member states gain "informed consent" from users before storing non-essential cookies on their device.

 

Session cookie

A session cookie, also known as an in-memory cookie or transient短暂的 cookie, exists only in temporary memory while the user navigates the website.^[17] Web browsers normally delete session cookies when the user closes the browser.^[18] Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

 

Persistent cookie

Instead of expiring when the web browser is closed as session cookies do, a persistent cookie expires at a specific date or after a specific length of time.

This means that, for the cookie's entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).

For this reason, persistent cookies are sometimes referred to as tracking cookies because they can be used by advertisers to record information about a user's web browsing habits over an extended period of time. However, they are also used for "legitimate"合法的 reasons (such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit).

These cookies are however reset if the expiration time is reached or the user manually deletes the cookie.

 

Secure cookie

A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS).

They cannot be transmitted over unencrypted connections (i.e. HTTP).

This makes the cookie less likely to be exposed to cookie theft via eavesdropping窃听.

A cookie is made secure by adding the Secure flag to the cookie.

 

HttpOnly cookie

An HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript.

This restriction eliminates消除 the threat of cookie theft盗窃 via cross-site scripting (XSS).

However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (XSRF) attacks.

A cookie is given this characteristic by adding the HttpOnly flag to the cookie.

 

Uses

Session management

Cookies were originally introduced to provide a way for users to record items they want to purchase as they navigate throughout a website (a virtual "shopping cart" or "shopping basket").^[8][9]

Today, however, the contents of a user's shopping cart are usually stored in a database on the server, rather than in a cookie on the client.

To keep track of which user is assigned to which shopping cart, the server sends a cookie to the client that contains a unique session identifier (typically, a long string of random letters and numbers).

Because cookies are sent to the server with every request the client makes, that session identifier will be sent back to the server every time the user visits a new page on the website, which lets the server know which shopping cart to display to the user.

 

Another popular use of cookies is for logging into websites.

When the user visits a website's login page, the web server typically sends the client a cookie containing a unique session identifier.

When the user successfully logs in, the server remembers that that particular session identifier has been authenticated, and grants the user access to its services.

 

Because session cookies only contain a unique session identifier, this makes the amount of personal information that a website can save about each user virtually limitless—the website is not limited to restrictions concerning how large a cookie can be. Session cookies also help to improve page load times, since the amount of information in a session cookie is small and requires little bandwidth.

 

作者:Chuck Lu    GitHub