(044) 362 48 16 (098) 294 41 60
|
|
|
What is a cookie
After the emergence of the Web and the introduction of HTML pages масового developers were faced with a serious problem - nevozmzhnostyu consecutive tracking user requests. The thing is that once the browser sent a request and received a reply, HTTP connectione rose, and more about the user nobody knows nothing. The company Netscape Communications has developed a new technology Cookies and implemented it in their Web servers (Web Planet) and browsers (Netscape Navigator). Later, almost all servers and browsers started to support cookies
Cook - This information is stored in the browser (originally in the NN - file cookies.txt) and each time passed from the client to a server with the request and other headers (HTTP Request Headers). Thus in subsequent requests the server can get the values set for visitsgovernmental earlier pages.
Also, read the RFC2965, RFC2109
<h6> Syntax Set-Cookie response header </ h6>
<pre> set-cookie = "Set-Cookie:" cookies
cookies = 1 # cookie
cookie = NAME "=" VALUE *(";" cookie-av)
NAME = attr
VALUE = value
cookie-av = "Comment" "=" value
| "Domain" "=" value
| "Max-Age" "=" value
| "Path" "=" value
| "Secure"
| "Version" "=" 1 * DIGIT </ pre>
Informally, Set-Cookie header includes the selected Set-Cookie:, followed by a list of one or more Cook. Each Cook begins with a pair of NAME = VALUE, followed by zero or more attribute-value pairs, separated by a semicolon. The syntax for attribute-value pairss shown above. A pair of NAME = VALUE to be the first in the ad cookies. All others may follow in any order. The standard does not provide behavior as repeated use of the same attribute-value pairs.
<h5> NAME = VALUE </ h5>
Commitmenttelen. Name cookies - NAME, and its value - VALUE.
NAMEs that begin with an $ reserved
for other purposes and should not be used.
<br>
VALUE The value must be indifferent to the client and the server
can be set any value to the selected ASCII Kodirovke.
"any" means that the contents should be interested in
only the source server. In fact, it can be read
someone ktoanaliziruet Set-Cookie header.
<h5> Comment = comment </ h5>
Optional. Because cookies can contain private information
about a user, the Cookie attribute allows an origin server to
document its intended use of a cookie. The user can inspect the
information to decide whether to initiate or continue a session
with this cookie.
<h5> Domain = domain </ h5>
Nonbinding. The Domain attribute specifies the domain for
which the cookie is valid. An explicitly specified domain
must always start with a dot.
<h5> Max-Age = delta-seconds </ h5>
Optional. The Max-Age attribute defines the lifetime of the
cookie, in seconds. The delta-seconds value is a decimal non -
negative integer. After delta-seconds seconds elapse, the client
should discard the cookie. A value of zero means the cookie
should be discarded immediately.
<h5> Path = path </ h5>
Optional. The Path attribute specifiesthe subset of URLs to
which this cookie applies.
<h5> Secure </ h5>
Optional. The Secure attribute (with no value) directs the user
agent to use only (unspecified) secure means to contact the origin
server whenever it sends back this cookie.
<br>
what level of security it considers appropriate for "secure"
cookies. The Secure attribute should be considered security
advice from the server to the user agent, indicating that it is in
the session'sinterest to protect the cookie contents.
<h5> Version = version </ h5>
Required. The Version attribute, a decimal integer, identifies to
which version of the state management specification the cookie
conforms. For this specification, Version = 1 applies.
How do I set up Cook
Cook is set in three ways:
- Web server (when the appropriate settings)
- Through the CGI response headers (like Perl, PHP, C, Sh)
- Through a custom script (javascript as well as vbscript under IE4 +)
Setting cookies Apache server
If there is an Apache module mod_cookies an opportunity, through the installation guidelines CookieLog filename record filename unique cookie client. Thus, after analyzing the log file, we can trace the activity of the user or clickstream. Since Apache 1.2 this module has been replaced with mod_usertrack, and was removed the ability to create a cookie-log. For this predpolagaetsI generally log file to use "% (cookie) n" option. For example both CustomLog logs / clickstream "% (cookie) n% r% t" You can set the directive (in the server congif or virtual host)
- CookieExpires
- CookieName name of cookies (you can also specify in the. htaccess or directory)
- CookieTracking on | off (you can also specify in the. Htaccess or directory)
Setting cookies CGI application
Cook Set from CGI applications can be sent with the followingagolovok (ie, sending a string to the beginning of the withdrawal of the actual content that comes after the header "Content-type:")
<pre> Set-Cookie:
name = value
[; EXPIRES = dateValue]
[; DOMAIN = domainName]
[; PATH = pathName]
[; SECURE] </ pre>
- name = value to set the values for peremennnoy name value
- [; EXPIRES = dateValue] if specified, it is the date when the cookie expires effect, ie it is deleted from the browser. If not specified, Cook cutaetsya after closing the browser window. In the latter case, Cook is often referred to as a sessional. Date format is:
Wdy, DD-Mon-YY HH: MM: SS GMT
- [; DOMAIN = domainName] If it is a domain in which the browser will send Kuku server. For example,If set to example.com, then Cook and send to example.com and pupkin.example.com. The default for the current domain.
- [; PATH = pathName] If it is a virtual directory server, within the limits totorogo browser will send Cook. For example, if installed in / user, then Cook and send to example.com / user / and example.com / user / pupkin / but not in example.com / smith /. The default page of a virtual directory, whichsylaet Cook.
When using cookies and <b> mod_rewrite </ b> Be careful! Set this option such as "/" otherwise the scripts are located in one directory will not be able to share cookies, because triggered via mod_rewrite. Also, the typical error --installation of cookies from a script in a subdirectory with the subsequent treatment of the script in the parent directory. If you do not set the PATH, Cook will not be available!
- [; SECURE] if set, prevents the cookies on the unprotected channel. Is unprotectedare all protocols except https: / / The only browser that does not understand this directive - Konquerror
Setting cookies in PHP
Читание value cookies in PHP
Deleting cookies in PHP
Settingand reading cookies from javascript
Remember that not all clients support javascript, precisely not at all browser javascript is allowed
<script language="javascript">
function GetValue (Offset) (
var End = document.cookie. indexOf (";", Offset);
if (End ==- 1)
End = document.cookie.length;
return unescape (document.cookie.substring (Offset, End));
)
function GetCookie (Name) (
var Len = Name.length;
var i = 0;
while (i <document.cookie.length) (
var j = i + Len +1;
if(document.cookie.substring (i, j) == (Name +"="))
return GetValue (j);
i = document.cookie.indexOf ( "", 1) +1;
if (i == 0)
break;
)
return null;
)
function SetCookie (Name, Value, Expire) (
var Exp = "Friday ,25-Feb-2000 12:00:00 GMT";
document.cookie = Name +"="+ escape (value) + "; expires =" + Expire;
)
</ script>
Deleting cookies in javascript
Cook Caching proxy servers
The source server must be aware of the efekte keshirovniya as a possible return, and send Set-Cookie headers. Keshirovnie "public" pages is desirable. For example, if the source server wants to use a public document, such as the "Business page" to send the session cookies, which he sends Set-Cookie header, the page should be placed in the cache "pre-expired" so that the source server will see the follow-up requests. "Private" page, on the other hand, should not be cached.
If Cook is applied to an individual user, Set-cookie header should not be keshiaddiction. Set-cookie zagolvok used jointly by many users may be cached.
The source server must send the following additional HTTP/1.1 response header, depending on the circumstances:
To suppress caching Set-Cookie header:
and one of the following:
- Suppress caching private document in shared caches:
Cache-control: private
- Allow caching of document and to require verification before they can view
Cache-control: must-revalidate
- Allow caching of document, but require the cached proxy servers (not the browser cache)
check the document before sending the client
Cache-control: proxy-revalidate
- To allow caching of a document and request that it be validated
before returning it to the client (by "pre-expiring" it):
Cache-control: max-age = 0
Not all caches will revalidate the document in every case.
HTTP/1.1 servers must send Expires: old-date (where old-date is a
date long in the past) on responses containing Set-Cookie response
headers unless they know for certain (by out of band means) that
there are no downsteam HTTP/1.0 proxies. HTTP/1.1 servers may send
other Cache-Control directives that permit caching by HTTP/1.1
proxies in addition to the
Expires: old-date
directive; the Cache-Control directive will override the Expires: old-date for HTTP/1.1
proxies.
Invalid cookies
In order to protect the client from possible brokens privacy information browser to refuse cookies (do not save ifnormatsiyu about them) in any of the following cases:
- The value for the Path attribute is not a prefix of the request-URI.
- The value for the Domain attribute contains no embedded dots or does not startwith a dot.
- The value for the request-host does not domain-match the Domain attribute.
- The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
PrIMER:
- A Set-Cookie from request-host yxfoo.com for Domain =. foo.com would be rejected, because H is yx and contains a dot.
- A Set-Cookie from request-host x.foo.com for Domain =. foo.com would be accepted.
- A Set-Cookie with Domain =. com or Domain =. com.,will always be rejected, because there is no embedded dot.
- A Set-Cookie with Domain = ajax.com will be rejected because the value for Domain does not begin with a dot.
Privacy Cook
The possibility of forgery Cook (Cookie Spoofing).
Properly designed programs can avoid the attacks, using forged Cook c neighboring domains. For example:
<ol>
<li> Browser makes a request to lamer_petya.host.com and receives Cook session_id = "1234" with the domain lamer_petya.host.com
<li & gt; Browser makes a request to hatsker_vasya.host.com and receives Cook <br>
<b> session-id = "1111", Domain = ". host.com" </ b>
<li> the same browser makes a request to lamer_petya.host.com and sends
<pre> Cookie: $ Version = "1";
session_id ="1234";
session_id = "1111"; $ Domain = ". host.com" </ pre>
The server on lamer_petya.host. to calculate the second Cook came from a different domain and ignore it.
Example Two
Lamer Peter has two website on the ballhost. host.com. It uses cookies to its 2 sites and wanted to make them general, establishes the domain. Host.com. Hatsker John hosted a number and convinces lamer Petyu visit / zatsenit his site. Since Petit common domain cookie, and send it hatskeru Vaasa, where he will be able to obtain personal information PETI, such as session key in the administration of the site and poizdevatsya over Petey as the soul is like.
Privacy? cookies.
Internet Exploer 6 now requires sites that send cookies, have a P3P policy.Thus says Microsoft:
"Internet Explorer 6 has developed a filter which is based on Cook specifications Platform for Privacy Preferences (P3P). By default, Internet Explorer 6 blocks third-party cookies that do not have a policy brief (a brief report on the safetyty in an understandable form of a computer) or third-party cookies in the description does not indicate that they will use your personal information without your explicit consent. Initial cookies in the description does not indicate that they will use your personal information without your explicit consent is removed after closing the window brouzera. First-party cookies that do not have a compact policy are leashed (restricted so that they can only be read in the first-party context). "<br>
See also: <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260971&GSSNB=1"> Microsoft Site</ a>
|
|