随记Cookie
先看源码
[b]第一 与Session的比较 [/b]
十年前还单机处理业务,集群还不多的时候,Session用的还比较多,现在随便个服务都集群部署,考虑到多节点内存同步,都不太使用session。http是无状态的,保留用户信息用,采用session会话。网上资料太多,不再赘述。
[b]第二 API[/b]
太简单,不再赘述
[b]第二 属性信息[/b]
属性:name value
有人把cookie理解成map,name 相当key, value 相当 map里的value.
但本身Cookie是个数组。是个Cookie[]
所以这个key是可以重复的。但又经常把cookie当成map使用,所以建议把cookie操作封装下。
属性 comment
就是存储key value 的描述。没什么特别的。
属性 maxAge
cookie的生命周期,默认-1,即关闭浏览器,cookie失效。
单位是??,大于零,即使cookie关闭,cookie依然生效。
属性 version
int ASSIC 数值,准照RFC 标准。
RFC文件是纯ASCII文字档格式
RFC [url]https://zh.wikipedia.org/wiki/RFC#RFC.E6.96.87.E4.BB.B6.E7.9A.84.E6.9E.B6.E6.A7.8B[/url]
属性 path
不瞎逼逼了,附上源码描述把
最后讲的属性 domain
参考文档:[url]http://blog.csdn.net/alexxu1988/article/details/47805205[/url]
domain的知识点比较多。
最后一点
[b]cookie 是不安全的[/b]
cookie是可以篡改,模拟的。因为是在客户端,之前我本地模拟了A站点的cookie, 用这个cookie是可以直接供真正的A站点使用的。那为什么还要用cookie.方便呀。
建议cookie存放的信息不是敏感信息,像密码这类东西就不要考虑放到cookie.存放的token 后台也要加个校验。cookie攻击的技术门槛是很低的。
先看源码
/**
*
* Creates a cookie, a small amount of information sent by a servlet to
* a Web browser, saved by the browser, and later sent back to the server.
* A cookie's value can uniquely
* identify a client, so cookies are commonly used for session management.
*
* <p>A cookie has a name, a single value, and optional attributes
* such as a comment, path and domain qualifiers, a maximum age, and a
* version number. Some Web browsers have bugs in how they handle the
* optional attributes, so use them sparingly to improve the interoperability
* of your servlets.
*
* <p>The servlet sends cookies to the browser by using the
* {@link HttpServletResponse#addCookie} method, which adds
* fields to HTTP response headers to send cookies to the
* browser, one at a time. The browser is expected to
* support 20 cookies for each Web server, 300 cookies total, and
* may limit cookie size to 4 KB each.
*
* <p>The browser returns cookies to the servlet by adding
* fields to HTTP request headers. Cookies can be retrieved
* from a request by using the {@link HttpServletRequest#getCookies} method.
* Several cookies might have the same name but different path attributes.
*
* <p>Cookies affect the caching of the Web pages that use them.
* HTTP 1.0 does not cache pages that use cookies created with
* this class. This class does not support the cache control
* defined with HTTP 1.1.
*
* <p>This class supports both the Version 0 (by Netscape) and Version 1
* (by RFC 2109) cookie specifications. By default, cookies are
* created using Version 0 to ensure the best interoperability.
*
*
* @author Various
*/
// XXX would implement java.io.Serializable too, but can't do that
// so long as sun.servlet.* must run on older JDK 1.02 JVMs which
// don't include that support.
public class Cookie implements Cloneable {
private static final String LSTRING_FILE =
"javax.servlet.http.LocalStrings";
private static ResourceBundle lStrings =
ResourceBundle.getBundle(LSTRING_FILE);
//
// The value of the cookie itself.
//
private String name; // NAME= ... "$Name" style is reserved
private String value; // value of NAME
//
// Attributes encoded in the header's cookie fields.
//
private String comment; // ;Comment=VALUE ... describes cookie's use
// ;Discard ... implied by maxAge < 0
private String domain; // ;Domain=VALUE ... domain that sees cookie
private int maxAge = -1; // ;Max-Age=VALUE ... cookies auto-expire
private String path; // ;Path=VALUE ... URLs that see the cookie
private boolean secure; // ;Secure ... e.g. use SSL
private int version = 0; // ;Version=1 ... means RFC 2109++ style
[b]第一 与Session的比较 [/b]
十年前还单机处理业务,集群还不多的时候,Session用的还比较多,现在随便个服务都集群部署,考虑到多节点内存同步,都不太使用session。http是无状态的,保留用户信息用,采用session会话。网上资料太多,不再赘述。
[b]第二 API[/b]
太简单,不再赘述
[b]第二 属性信息[/b]
属性:name value
有人把cookie理解成map,name 相当key, value 相当 map里的value.
但本身Cookie是个数组。是个Cookie[]
所以这个key是可以重复的。但又经常把cookie当成map使用,所以建议把cookie操作封装下。
属性 comment
就是存储key value 的描述。没什么特别的。
属性 maxAge
cookie的生命周期,默认-1,即关闭浏览器,cookie失效。
单位是??,大于零,即使cookie关闭,cookie依然生效。
属性 version
int ASSIC 数值,准照RFC 标准。
RFC文件是纯ASCII文字档格式
RFC [url]https://zh.wikipedia.org/wiki/RFC#RFC.E6.96.87.E4.BB.B6.E7.9A.84.E6.9E.B6.E6.A7.8B[/url]
属性 path
不瞎逼逼了,附上源码描述把
* Specifies a path for the cookie
* to which the client should return the cookie.
*
* <p>The cookie is visible to all the pages in the directory
* you specify, and all the pages in that directory's subdirectories.
* A cookie's path must include the servlet that set the cookie,
* for example, <i>/catalog</i>, which makes the cookie
* visible to all directories on the server under <i>/catalog</i>.
*
* <p>Consult RFC 2109 (available on the Internet) for more
* information on setting path names for cookies.最后讲的属性 domain
参考文档:[url]http://blog.csdn.net/alexxu1988/article/details/47805205[/url]
* Specifies the domain within which this cookie should be presented.
*
* <p>The form of the domain name is specified by RFC 2109. A domain
* name begins with a dot (<code>.foo.com</code>) and means that
* the cookie is visible to servers in a specified Domain Name System
* (DNS) zone (for example, <code>www.foo.com</code>, but not
* <code>a.b.foo.com</code>). By default, cookies are only returned
* to the server that sent them.
domain的知识点比较多。
最后一点
[b]cookie 是不安全的[/b]
cookie是可以篡改,模拟的。因为是在客户端,之前我本地模拟了A站点的cookie, 用这个cookie是可以直接供真正的A站点使用的。那为什么还要用cookie.方便呀。
建议cookie存放的信息不是敏感信息,像密码这类东西就不要考虑放到cookie.存放的token 后台也要加个校验。cookie攻击的技术门槛是很低的。
9207
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
