HTTP Cookie
successgo opened this issue · comments
Cookie: the old and the future
From Wikipedia:
https://en.wikipedia.org/wiki/HTTP_cookie
RFC 2109:
https://tools.ietf.org/html/rfc2109
RFC 2965:
https://tools.ietf.org/html/rfc2965
RFC 6265:
https://tools.ietf.org/html/rfc2965
Terminology
Session Cookie
session id stores in cookie.
session cookie is deleted after user closing browser.
Persistent Cookie
cookie with expiration.
Secure Cookie
Secure flag.
send from https.
Http-only Cookie
HttpOnly flag.
scripting language like js cannot modify this kind of cookie.
Same-site Cookie
made from Chrome version 51.
Third-party Cookie
Cookie Structure
-
Name
-
Value
-
Zero/More attributes. Attributes store information such as Cookie's expiration, domain and flags (such as Secure, HttpOnly).
Cookie Implementation
Browser require to surport:
- as large as 4096 bytes in size
- 50 cookies per domain(i.e. per website)
- 3000 cookies in total
Set a cookie
Cookies are set using Set-Cookie
Http header, sent in an HTTP response from the web server.
Cookie value has its own limitation: it may consist any printable ASCII character(!
through ~
, Unicode \u0021 through \u007e) excluding ,
and ;
and whitespace character.
Cookie name also has its onw limitation: it excludes the same characters, as well as =
.
Cookie attributes
Browsers only send cookie's name and value. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie to the server.
Domain and Path
The Domain
and Path
attributes define the scope of the cookie.
Expires and Max-Age
The Expires
attribute defines a specific date and time for when the browser should delete the cookie.
Alternatively, the Max-Age
attribute can be used to set the cookie's expiration as an interval of seconds in the future, relative to the time the browser received the cookie.
Secure and HttpOnly
The Secure
and HttpOnly
attributes do not have associated values.