What is it
Cookie is a small piece of data that the server sends to the user’s browser and saves locally. When the browser sends a request to the same server next time, the data will be carried and sent to the server.
Second, the role of
-
Session state management, such as user login status, shopping cart, game score, or other information that needs to be logged
-
Personalization Settings, such as user – defined Settings, themes, etc
-
Browser behavior tracking, such as tracking and analyzing user behavior
Third, the way to create cookies
The server responds with set-cookie: name=value, and the browser responds with header: Cookie: name=value
Four, classification,
Categories based on cycles:
-
Session Cookie, valid only during a browser session
-
Persistent Cookie, based on expiration time (Expires) or expiration time (max-age)
Fifth, what are the security problems of cookies and how to prevent them
1. Session hijacking
-
Session cookies are regenerated and resend when the user authenticates
-
Set the Secure property. Cookies do not carry sensitive information
2, cross-site scripting attack (XSS), restrict access to cookies, set HttpOnly, prevent access to Cookie values through JavaScript
Cross-site Request Forgery (CSRF)
-
Set the SameSite property not to send cross-site requests
-
Cookies that carry sensitive information have a short life cycle
4. Defense in depth: Set the Cookie prefix
Vi. Relevant Provisions
-
A third-party Cookie is declared to the user
-
Allows the user to opt out of receiving some or all cookies.
-
Allows users to use most services without receiving cookies
References:
Using HTTP cookies