In the early days, the Internet was only used for simple page browsing , There's no interaction , The server can't know whether different requests come from the same browser , I don't know what a user did last time . Each request is completely independent of each other , This is also HTTP The performance of protocol stateless characteristics . This kind of flaw obviously cannot satisfy the interactive Web The need for development ,Cookie As a solution to this problem , It was proposed by the most powerful Netscape browser company at that time .

One 、Cookie Narration

Cookie It can be understood as the ID card of the browser . Different sites will be based on the actual situation , Issue a unique ID card or not . When visiting the same site again , According to the agreement to bring this ID card to enjoy some privileges . If I lost my ID card , Then we have to register again .

Cookie The information is maintained by the client browser itself . Different browsers have different client local storage methods ,Chrome and Firefox Use SQLite Storage ,IE Using a text format .Cookie What's important in it key&value It's encrypted by the browser , Only through a given API Only in this way can we get the stored raw data . By default ,Cookie The information is destroyed from memory as the browser process ends , If because of some needs , The server side is set with Cookie Life time of , So this Cookie It's stored on disk in some form , It will not be cleaned up during the effective survival period , It can be reused and its life cycle can be updated .

1.1 Observe Cookie stay HTTP Interaction in packets

Here we use http://www.website.com/bbs/ Site as an example , explain Cookie stay HTTP How the protocol package is transmitted .

First request bbs home page /bbs/ when , At the end of the request packet header Part of it is not Cookie The information of . At this time , Because some functions require , The site will require local storage in the browser Cookies, For example, the first interactive request landing page below , The local browser stores three variables ： phpbb3_lhc4d_u , phpbb3_lhc4d_k , phpbb3_lhc4d_sid . Focus on phpbb3_lhc4d_sid This variable , It stores the server side SessionID Value （ You can also call it a session identifier ）.

GET /bbs/ HTTP/1.1
Host: www.website.com.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mosilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://www.website.com.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

HTTP/1.1 200 OK
Date: Mon, 21 Oct 2019 03:04:44 GMT
Server: Apache
X-Powered-By: PHP/5.5.38-1~dotdeb+7.1
Set-Cookie: phpbb3_lhc4d_u=1; expires=Tue, 20-Oct-2020 03:04:44 GMT; path=/; domain=www.website.com.cn; HttpOnly
Set-Cookie: phpbb3_lhc4d_k=; expires=Tue, 20-Oct-2020 03:04:44 GMT; path=/; domain=www.website.com.cn; HttpOnly
Set-Cookie: phpbb3_lhc4d_sid=8fedbe0e849ab04df7a698b54d011b16; expires=Tue, 20-Oct-2020 03:04:44 GMT; path=/; domain=www.website.com.cn; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: Mon, 21 Oct 2019 03:04:44 GMT
Referer-Policy: same-origin
X-Frame-Options: sameorigin
Vary: Accept-Encoding
Content-Length: 9110
Connection: close
Content-Type: text/html; charset=UTF-8

Refresh the page , Request the same page again , It can be found that the browser will automatically store the previous data in the local corresponding site Cookies All submitted in the past . Just to mention here , every last Cookie It's all limited in size , Around the 4k about .

GET /bbs/ HTTP/1.1
Host: www.website.com.cn
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mosilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://www.website.com.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: phpbb3_lhc4d_u=1; phpbb3_ihc4d_k=; phpbb3_lhc4d_sid=8fedbe0e849ab04df7a698b54d011b16
Connection: close

HTTP/1.1 200 OK
Date: Mon, 21 Oct 2019 03:05:16 GMT
Server: Apache
X-Powered-By: PHP/5.5.38-1~dotdeb+7.1
Cache-Control: private, no-cache="set-cookie"
Expires: Mon, 21 Oct 2019 03:05:16 GMT
Referer-Policy: same-origin
X-Frame-Options: sameorigin
Vary: Accept-Encoding
Content-Length: 8435
Connection: close
Content-Type: text/html; charset=UTF-8

Enter the correct account information to enter bbs After the inside , You will find that the server has updated the data stored locally Cookie Medium phpbb3_lhc4d_sid Information , It's where you can stay bbs Pass for the inner plate , Just bring this with you when you visit Cookies It's all right .

POST /bbs/ucp/php?mode=login HTTP/1.1
Host: www.website.com.cn
Content-Length: 94
Cache-Control: max-age=0
Origin: http://www.website.com.cn
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mosilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://www.website.com.cn/bbs/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: phpbb3_lhc4d_u=1; phpbb3_ihc4d_k=; phpbb3_lhc4d_sid=8fedbe0e849ab04df7a698b54d011b16
Connection: close

username=***********&password=**************************&login=%E7%99%BB%E5%BD%95&redirect=.%2Findex.php%3F

HTTP/1.1 302 Found
Date: Mon, 21 Oct 2019 03:05:48 GMT
Server: Apache
X-Powered-By: PHP/5.5.38-1~dotdeb+7.1
Set-Cookie: phpbb3_lhc4d_u=77; expires=Tue, 20-Oct-2020 03:05:48 GMT; path=/; domain=www.website.com.cn; HttpOnly
Set-Cookie: phpbb3_lhc4d_k=; expires=Tue, 20-Oct-2020 03:05:48 GMT; path=/; domain=www.website.com.cn; HttpOnly
Set-Cookie: phpbb3_lhc4d_sid=bdabd760e3a87aa6b0dfb517c8c7d90a; expires=Tue, 20-Oct-2020 03:05:48 GMT; path=/; domain=www.website.com.cn; HttpOnly
Location: http://www.website.com.cn/bbs/index.php?&sid=bdabd760e3a87aa6b0dfb517c8c7d90a
Cache-Control: max-age=86400
Expires: Tue, 22 Oct 2019 03:05:48 GMT
Referer-Policy: same-origin
X-Frame-Options: sameorigin
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

GET /bbs/index.php HTTP/1.1
Host: www.website.com.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mosilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://www.website.com.cn/bbs/index.php?&sid=bdabd760e3a87aa6b0dfb517c8c7d90a
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: phpbb3_lhc4d_u=1; phpbb3_ihc4d_k=; phpbb3_lhc4d_sid=bdabd760e3a87aa6b0dfb517c8c7d90a
Connection: close

HTTP/1.1 200 OK
Date: Mon, 21 Oct 2019 03:06:16 GMT
Server: Apache
X-Powered-By: PHP/5.5.38-1~dotdeb+7.1
Cache-Control: private, no-cache="set-cookie"
Expires: Mon, 21 Oct 2019 03:06:16 GMT
Referer-Policy: same-origin
X-Frame-Options: sameorigin
Vary: Accept-Encoding
Content-Length: 37722
Connection: close
Content-Type: text/html; charset=UTF-8

Analysis of the above HTTP Packet interaction ：

• Cookie It's using HTTP It's the head of the computer to transmit and exchange information ;
• Set-Cookie It's a key word that the server sends instructions to the browser , You can bring some control properties ;
• Cookie It is the message field sent from browser to server , It can only be name=value Format , Can't bring other properties .

Two 、Cookie What properties are there

stay RFC6265 Specified in the , Usually Set-Cookie The response header contains a header named 「Set-Cookie： trailing Cookie」. trailing Cookie except name, value Besides these two essential attributes , There are several other control properties available . The relevant description is excerpted as follows ：

3、 ... and 、Cookie Application scenarios of

3.1 HTTP Session state maintenance

In terms of function realization , There's no problem with either , But in practical use, it will be found that Cookie The limitation of its size and quantity and the local storage of information will bring some security problems （ If it could be exposed to the attacker , Or replayed by the attacker ）. In general, it is not recommended to store sensitive information in Cookie in , Instead, it uses the stored session identifier （SessionID） To Cookie The way in the world , The server can get the session identifier （SessionID） Associate current state information . Yes, of course , Using session identifiers is not without risk , Compared with the former, it is a good improvement .

For example , Suppose the browser corresponds to a natural person ,Cookie Corresponding ID card , and Web The server side corresponds to the registered residence management office , that ,Web The server （ Registered residence administration ） Need to be responsible for the browser （ natural person ） issue Cookie（ Id card ）. The later session authentication is saved in the client browser Cookie（ ID card name and number ） Inside 「 Session identifier 」 Realized , All sensitive information is stored on the server side （ Registered residence administration ）, Instead of leaving it to a third-party browser .

3.2 be based on Cookie Of SSO Single sign on

In the same domain and not in the same domain SSO Single sign on

In the same domain Cookies Single sign on is relatively simple . take Cookie Of domain Property to configure the parent domain name , Such as .website.com.cn , So this Cookie Can be similar to a.website.com.cn ,b.website.com.cn ,sso.website.com.cn ,website.com.cn Shared use . There is one thing that needs special attention , The browser requests the child domain with the parent domain Cookie, Otherwise, it will not . As agreed , What we need to share Cookie Information written to website.com.cn This domain name can be .

The above discussion is in the same domain SSO Single sign on process . So what's the principle in the case of cross domain ？ Continue with the flow chart , Compared with the above situation in the same domain, there will be more jumping actions .

3.3 Track and analyze user behavior

「 big data 」 Overturning some old shackles , Have the ability to analyze all the data , We can get an accurate general direction , Instead of just analyzing random sampling data . In the Internet industry ,「 big data 」 Performance in the collection and analysis of network user behavior data , And push demand . When it comes to the collection of network user behavior data , We have to talk about Cookie The alternative role played here .

Client access personalization

The configuration parameters of the website can be stored in the browser Cookies in , When the client browser visits the site again , Directly by reading Cookies Information can complete the relevant personalized configuration . Of course , The limitations are obvious ,Cookies Expiration or a new computer , There's no effect . This is for casual users . Website with member registration function , Generally, the configuration is saved in Web Server local database , It's persistent .

Search engine & Targeted advertising push

After searching for product information in search engines or shopping sites , When browsing other pages , It often displays the products or related information searched in its advertising area . I'll borrow your computer one day , Turn on the tour , Your privacy may be exposed , It's very annoying , And this is Cookie Credit .

Information promotion of Internet advertising companies

There's another possibility , It's very likely that the website you open has an embedded image called web bug . The picture is transparent and has only one pixel size , We call it Pixel Code, Its function is to write custom... To all clients who have visited this page Cookie （ Collect users' hobbies and habits through different sites ）. When you visit shopping sites that work with online advertising promotion , these Cookie Information will be read and targeted to recommend advertising . The whole process and the search engine above & Targeted advertising is similar to , I won't repeat it here .

Four 、Cookie Discussion on the safety of

As a person and HTTP Security practitioners who have worked with protocol for many years , I can't help but want to discuss this issue ——

We know Cookie It's stored in the user's local , Maintained by their respective browsers . take Chrome For browsers , The user can input it directly in the browser chrome://settings/siteData To visit its Cookies Store information , This is through a browser API obtain , You can see the original completely value Information . If the user wants to see it through other means , You can also use chrome://version/ Discover where the data is stored , After a close look , It's not hard to find out ,%LOCALAPPDATA%\Google\Chrome\UserData\Default\Cookies It's its Cookies Storage file . This is a SQLite Lightweight database , After opening the query through the tool, you can find ,domain yes baidu All of them can be searched out , Here's the picture . Here you can see ,name=value Of value Some of them are encrypted by the browser .

After talking Chrome Local storage of , Say again Cookie Its own characteristics .Cookie It's usually possible to record user accounts ID、 password 、 Session identifier SessionID, This information could be encrypted , It could also be unencrypted . Encrypted storage only shows that it has done some homework in security , But it was intercepted by the attacker （ Grab the bag 、XSS） after , It doesn't make much sense whether it's encrypted or not . The attacker doesn't need to understand the code , Just throw the information to the server , You can operate beyond your authority . And these security issues , You can read related entries （ see Ref1） Understanding learning .

（ Yi Shuguo | Tiancun information ）

Ref

1. ‘cookie Data stored on the user's local terminal ’ - Encyclopedia entry
2. ‘HTTP State Management Mechanism’ - RFC6265