Cookie 浅谈

阅读更多
随记Cookie

先看源码

/**
 *
 * Creates a cookie, a small amount of information sent by a servlet to 
 * a Web browser, saved by the browser, and later sent back to the server.
 * A cookie's value can uniquely 
 * identify a client, so cookies are commonly used for session management.
 * 
 * 

A cookie has a name, a single value, and optional attributes * such as a comment, path and domain qualifiers, a maximum age, and a * version number. Some Web browsers have bugs in how they handle the * optional attributes, so use them sparingly to improve the interoperability * of your servlets. * *

The servlet sends cookies to the browser by using the * {@link HttpServletResponse#addCookie} method, which adds * fields to HTTP response headers to send cookies to the * browser, one at a time. The browser is expected to * support 20 cookies for each Web server, 300 cookies total, and * may limit cookie size to 4 KB each. * *

The browser returns cookies to the servlet by adding * fields to HTTP request headers. Cookies can be retrieved * from a request by using the {@link HttpServletRequest#getCookies} method. * Several cookies might have the same name but different path attributes. * *

Cookies affect the caching of the Web pages that use them. * HTTP 1.0 does not cache pages that use cookies created with * this class. This class does not support the cache control * defined with HTTP 1.1. * *

This class supports both the Version 0 (by Netscape) and Version 1 * (by RFC 2109) cookie specifications. By default, cookies are * created using Version 0 to ensure the best interoperability. * * * @author Various */ // XXX would implement java.io.Serializable too, but can't do that // so long as sun.servlet.* must run on older JDK 1.02 JVMs which // don't include that support. public class Cookie implements Cloneable { private static final String LSTRING_FILE = "javax.servlet.http.LocalStrings"; private static ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE); // // The value of the cookie itself. // private String name; // NAME= ... "$Name" style is reserved private String value; // value of NAME // // Attributes encoded in the header's cookie fields. // private String comment; // ;Comment=VALUE ... describes cookie's use // ;Discard ... implied by maxAge < 0 private String domain; // ;Domain=VALUE ... domain that sees cookie private int maxAge = -1; // ;Max-Age=VALUE ... cookies auto-expire private String path; // ;Path=VALUE ... URLs that see the cookie private boolean secure; // ;Secure ... e.g. use SSL private int version = 0; // ;Version=1 ... means RFC 2109++ style



第一 与Session的比较
十年前还单机处理业务,集群还不多的时候,Session用的还比较多,现在随便个服务都集群部署,考虑到多节点内存同步,都不太使用session。http是无状态的,保留用户信息用,采用session会话。网上资料太多,不再赘述。

第二 API
太简单,不再赘述

第二 属性信息
属性:name value
有人把cookie理解成map,name 相当key, value 相当 map里的value.
但本身Cookie是个数组。是个Cookie[]
所以这个key是可以重复的。但又经常把cookie当成map使用,所以建议把cookie操作封装下。

属性 comment
就是存储key value 的描述。没什么特别的。

属性 maxAge
cookie的生命周期,默认-1,即关闭浏览器,cookie失效。
单位是??,大于零,即使cookie关闭,cookie依然生效。

属性 version
int ASSIC 数值,准照RFC 标准。
RFC文件是纯ASCII文字档格式
RFC https://zh.wikipedia.org/wiki/RFC#RFC.E6.96.87.E4.BB.B6.E7.9A.84.E6.9E.B6.E6.A7.8B

属性 path
不瞎逼逼了,附上源码描述把
  
  * Specifies a path for the cookie
     * to which the client should return the cookie.
     *
     * 

The cookie is visible to all the pages in the directory * you specify, and all the pages in that directory's subdirectories. * A cookie's path must include the servlet that set the cookie, * for example, /catalog, which makes the cookie * visible to all directories on the server under /catalog. * *

Consult RFC 2109 (available on the Internet) for more * information on setting path names for cookies.



最后讲的属性 domain
参考文档: http://blog.csdn.net/alexxu1988/article/details/47805205

     * Specifies the domain within which this cookie should be presented.
     *
     * 

The form of the domain name is specified by RFC 2109. A domain * name begins with a dot (.foo.com) and means that * the cookie is visible to servers in a specified Domain Name System * (DNS) zone (for example, www.foo.com, but not * a.b.foo.com). By default, cookies are only returned * to the server that sent them.



domain的知识点比较多。

最后一点
cookie 是不安全的
cookie是可以篡改,模拟的。因为是在客户端,之前我本地模拟了A站点的cookie, 用这个cookie是可以直接供真正的A站点使用的。那为什么还要用cookie.方便呀。
建议cookie存放的信息不是敏感信息,像密码这类东西就不要考虑放到cookie.存放的token 后台也要加个校验。cookie攻击的技术门槛是很低的。

你可能感兴趣的:(Cookie 浅谈)