惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
P
Palo Alto Networks Blog
GbyAI
GbyAI
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
Hugging Face - Blog
Hugging Face - Blog
小众软件
小众软件
Y
Y Combinator Blog
T
The Blog of Author Tim Ferriss
Blog — PlanetScale
Blog — PlanetScale
S
Schneier on Security
V
Vulnerabilities – Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
雷峰网
雷峰网
T
Tenable Blog
人人都是产品经理
人人都是产品经理
T
Tor Project blog
C
Cyber Attacks, Cyber Crime and Cyber Security
AWS News Blog
AWS News Blog
Microsoft Security Blog
Microsoft Security Blog
J
Java Code Geeks
Scott Helme
Scott Helme
SecWiki News
SecWiki News
C
CERT Recently Published Vulnerability Notes
Recorded Future
Recorded Future
I
InfoQ
Security Archives - TechRepublic
Security Archives - TechRepublic
Help Net Security
Help Net Security
Cloudbric
Cloudbric
C
Check Point Blog
Engineering at Meta
Engineering at Meta
TaoSecurity Blog
TaoSecurity Blog
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园_首页
N
News and Events Feed by Topic
云风的 BLOG
云风的 BLOG
MyScale Blog
MyScale Blog
腾讯CDC
量子位
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
Kaspersky official blog
Vercel News
Vercel News
F
Full Disclosure
T
Troy Hunt's Blog
Forbes - Security
Forbes - Security
S
Security @ Cisco Blogs

博客园 - Frodo

北京骗子花样——母婴篇 MSN的弹出页面里面也有病毒,当心 makefile学习笔记 Base-from-Member 惯用法(转) boost.asio库学习笔记—— receive和read的区别: 手动安装boost库 http://www.taobao.com Sample OpenVPN 2.0 config file 配置文件的简单翻译 - Frodo 奥运节目主持人爆笑口误 转——让IRIS嗅探器可以在Win2003 SP1上运行 转 —— http cookie 在多个进程间共享内核对象时的安全性 进程间数据通讯要注意的问题 不要混合使用运行时库的静态版本和动态版本!!!! Linux下面如何进行C语言编程技术教程 linux command 最简单的办法,不用安装任何软件,就屏蔽ClickEye(点睛广告) 如何关闭 FlashGet 右侧的网页 老陈学 C++ 序列之二: 友元函数
HTTP Cookies 扫盲
Frodo · 2008-04-26 · via 博客园 - Frodo

Http cookies provide the server with a mechanism to store and retrieve state information on the client application's system. This mechanism allows Web-based applications the ability to store information about selected items, user preferences, registration information, and other information that can be retrieved later.

Cookie-Related Headers

There are two headers, Set-Cookie and Cookie, that are related to cookies. The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.

Set-Cookie Header

The Set-Cookie response header uses the following format:

 Set-Cookie: <name>=<value>[; <name>=<value>]...
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; httponly]

One or more string sequences (separated by semicolons) that follow the pattern name=value must be included in the Set-Cookie response header. The server can use these string sequences to store data on the client's system.

The expiration date is set by using the format expires=date, where date is the expiration date in Greenwich Mean Time (GMT). If the expiration date is not set, the cookie expires after the Internet session ends. Otherwise, the cookie is persisted in the cache until the expiration date. The date must follow the format DAY, DD-MMM-YYYYHH:MM:SS GMT, where DAY is the day of the week (Sun, Mon, Tue, Wed, Thu, Fri, Sat), DD is the day in the month (such as 01 for the first day of the month), MMM is the three-letter abbreviation for the month (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec), YYYY is the year, HH is the hour value in military time (22 would be 10:00 P.M., for example), MM is the minute value, and SS is the second value.

Specifying the domain name, using the pattern domain=domain_name, is optional for persistent cookies and is used to indicate the end of the domain for which the cookie is valid. Session cookies that specify a domain are rejected. If the specified domain name ending matches the request, the cookie tries to match the path to determine if the cookie should be sent. For example, if the domain name ending is .microsoft.com, requests to home.microsoft.com and support.microsoft.com would be checked to see if the specified pattern matches the request. The domain name must have at least two or three periods in it to prevent cookies from being set for widely used domain name endings, such as .com, .edu, and co.jp. Allowable domain names would be similar to .microsoft.com, .someschool.edu, and .someserver.co.jp. Only hosts within the specified domain can set a cookie for a domain.

Setting the path, using the pattern path=some_path, is optional and can be used to specify a subset of the URLs for which the cookie is valid. If a path is specified, the cookie is considered valid for any requests that match that path. For example, if the specified path is /example, requests with the paths /examplecode and /example/code.htm would match. If no path is specified, the path is assumed to be the path of the resource associated with the Set-Cookie header.

The cookie can also be marked as secure, which specifies that the cookie can be sent only to https servers.

Finally, a cookie can be marked as HttpOnly (attributes are not case-sensitive), to indicate that the cookie is non-scriptable and should not be revealed to the client application, for security reasons. Within Windows Internet, this means that the cookie cannot be retrieved through the InternetGetCookie function.

Cookie Header

The Cookie header is included with any HTTP requests that have a cookie whose domain and path match the request. The Cookie header has the following format:

 Cookie: <name>=<value> [;<name>=<value>]...

One or more string sequences, using the format name=value, contain the information that was set in the cookie.

Generating Cookies

There are three methods for generating cookies for Microsoft Internet Explorer: using Microsoft JScript, using the WinINet functions, and using a CGI script. All of the methods need to set the information that is included in the Set-Cookie header.

Generating a Cookie Using the DHTML Object Model

Using the Dynamic HTML (DHTML) object model, cookies can be set by calling the cookie property of the document object, as shown in the following example.

 <SCRIPT language="JavaScript">
<!--
document.cookie = "SomeValueName = Some_Value";
-->
</SCRIPT>

Generating a Cookie Using the WinInet Functions

Cookies can be created by applications using the InternetSetCookie function. For more information, see Setting a Cookie.

Generating a Cookie Using a CGI Script

Cookies are generated by including a Set-Cookie header as part of a CGI script included in the HTTP response to a request.

The following example is a CGI script that includes a Set-Cookie header using Perl.

print "Set-Cookie:Test=test_value;
expires=Sat, 01-Jan-2000 00:00:00 GMT;
path=/;"

Send comments about this topic to Microsoft

Build date: 2/28/2008