When set to true, it means that the Cookie is sent to the server in a secure manner, that is, it can only be passed to the server in an HTTPS connection by the browser for session authentication.
A Cookie contains the following information: 1)Cookie name, Cookie name must be used only in the URL characters, generally with letters and numbers, can not contain special characters, such as special characters want to transcode. For example, when JS operates cookies, it can use escape() to transcode the name. 2)Cookie value. Cookie value is the same as the name of Cookie, which can be transcoded and encrypted. 3)Expires. A GMT date that Expires when the browser removes the Cookie. When not set, the Cookie disappears when the browser shuts down. 4)Path, a Path under which the page can access the Cookie, generally set as “/”, to indicate that all pages of the same site can access the Cookie. 5)Domain, subdomain, specify the subdomain in which the Cookie can be accessed, for example, to make the Cookie accessible under a.test.com, but not under b.test.com, set the Domain to a.test.com. If Secure is set to Secure, the Cookie can only be accessed by the page when using HTTPS protocol. If Secure is set to Secure, the Cookie can only be accessed by the page when using HTTPS protocol. 7)HttpOnly, if the “HttpOnly” attribute is set in the Cookie, the Cookie information will not be read by the program (JS script, Applet, etc.).
Note: The figure above is for setcookie syntax on w3shool and does not show the 7 httponly oh, respective version support issues.
I. Attribute Description: When set to true, the Cookie is transferred to the server in a secure manner, that is, it can only be passed to the server by the browser over an HTTPS connection for session authentication, but not over an HTTP connection. So you can’t steal the exact contents of the Cookie. If the “HttpOnly” attribute is set in the Cookie, the Cookie information will not be read by the program (JS script, Applet, etc.), which can effectively prevent XSS attack.
Two, a variety of browsers to view the cookie method example: modify “Web attack one: XSS cross-site script” in the example 1 to add the following red background code as follows:
package com.dxz.web.controller; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; @Controller public class loginController { @RequestMapping(value="/login",method=RequestMethod.GET) public ModelAndView helloWorld(@RequestParam("nick") String nick, HttpServletResponse response){ System.out.println(nick + " login"); ModelAndView mv = new ModelAndView(); mv.addObject("message", nick); mv.setViewName("xss2"); Cookie hit=new Cookie("hitCounter","1"); hit.setHttpOnly(true); // If the "HttpOnly" attribute is set, the Cookie hit. SetMaxAge (60*60) will not be accessible through a program (JavaScript, Applet, etc.); // Set lifetime to 1 hour // Hit. SetDomain ("www.duanxz.cn"); // Hitt.setPath ("/hello"); // Hitt.setPath ("/hello"); // The Cookie can only be accessed from the page below the path // Hit. SetSecure (true); // If Secure is set, the cookie can only be accessed by the page when using the HTTPS protocol connection response.addCookie(hit); return mv; }}To access the
http://localhost:8080/SpringWebTraining/login?nick=%22%2F%3Cscript%3Ealert%28%22haha%22%29%3C%2Fscript%3E%3C%21-
IE11:
Fiddler2:
SpringMVC’s Cookie Operations SpringMVC’s Cookie Operations SpringMVC’s Cookie Operations
1, Cookie created by the server, and then added to the HttpServletResponse sent to the client (browser).
2. You can add multiple cookie key-value pairs.
3. Cookie consists of a key-value name and a key-value. The key-value names in “same domain and path” cannot be duplicated. Adding a key-value pair with the same name will override the previous key-value pair with the same name.
4. When adding a cookie, specify the domain where the cookie is located (setPath) and the length of existence (setMaxAge).
4. After the server creates the cookie and submits it to the client, the browser will carry the “Cookie array” in each request (HttpServletRequest).
5, SpringMVC can be obtained in two ways :(1) A specified cookie can be obtained from the controller via the @CookieValue annotation. (2) Get an array of cookies through the getCookies method in HttpServletRequest, and then iterate over each cookie key-value pair in it.
Session Description:
1. The server creates a session (request.getSession()) based on the client’s request (HttpServletRequest).
2. Each session has a unique identifier called “SessionID”, which can be obtained through.getId().
3. Session is stored on the server side, and each session has an ID. When a session is created, the SessionID will be stored in the cookie of this visit. The session in the server is found based on the SESSIONID value in the cookie during the access.
4. The server clears a Session that has not been active for a long time from the server’s memory, at which point the Session becomes invalid. The default expiration time of a Session in Tomcat is 20 minutes.
Session is not created when accessing static resources such as HTML
Related operating codes:
Public void showCookies(httpServletRequest request){Cookies [] Cookies = request.getCookies(); If (null==cookies) {System.out.println(" no cookies "); if (null==cookies) {System.out.println(" no cookies "); } else { for(Cookie cookie : cookies){ System.out.println("cookieName:"+cookie.getName()+",cookieValue:"+ cookie.getValue()); }}} // Create a cookie and add the new cookie to the "response object" response. public void addCookie(HttpServletResponse response){ Cookie cookie = new Cookie("name_test","value_test"); // create a new cookie cookie.setMaxAge(5 * 60); Cookie. SetPath ("/"); Cookie. SetPath ("/"); // Set scoped response.addCookie(Cookie); } // To modify a cookie, you can modify it according to the name of a cookie (not only the name should be the same as that of the modified cookie). Path, domain must also agree with is modified cookie) public void editCookie (it request, HttpServletResponse response) {cookie [] cookies = request.getCookies(); If (null==cookies) {System.out.println(" No cookies"); } else { for(Cookie cookie : Cookies){// If the same cookie as the specified Cookiename is found during iteration, If (cookie.getName().equals("name_test")){cookie.setValue("new_value"); // Modify value cookie.setPath("/"); cookie.setMaxAge(10 * 60); // Response. AddCookie (Cookie); // Save the modified cookie in response and replace the old cookie break with the same name; }}}} / / delete the cookie public void delCookie (it request, HttpServletResponse response) {cookie cookies = [] request.getCookies(); If (null==cookies) {System.out.println(" No cookie"); } else {for(Cookie Cookie: cookies){// If a Cookie with the same name is found, set the value to null, set the life time to 0, and replace the original Cookie. if(cookie.getName().equals("name_test")){ cookie.setValue(null); cookie.setMaxAge(0); cookie.setPath("/"); response.addCookie(cookie); break; }}}}Attached is the js method to manipulate the cookie:
JS setting cookies:
Document. Cookie =”name=”+username; Document. Cookie =”name=”+username;
JS read cookies:
Assume that the contents stored in the cookie are: name=jack; password=123
The JS code for obtaining the value of the variable username in page B is as follows:
var username=document.cookie.split(";" )[0].split("=")[1]; // Cookies // write cookies function setCookie(name,value) {var Days = 30; var exp = new Date(); exp.setTime(exp.getTime() + Days*24*60*60*1000); document.cookie = name + "="+ escape (value) + "; expires=" + exp.toGMTString(); }Read the cookies
function getCookie(name) { var arr,reg=new RegExp("(^| )"+name+"=([^;] (*). | $) "); if(arr=document.cookie.match(reg)) return unescape(arr[2]); else return null; }Delete the cookies
function delCookie(name) { var exp = new Date(); exp.setTime(exp.getTime() - 1); var cval=getCookie(name); if(cval! =null) document.cookie= name + "="+cval+"; expires="+exp.toGMTString(); } // Use the example setCookie("name"," Hayden "); alert(getCookie("name")); // If you want to set a custom expiration date, replace the setCookie function with the following two functions; Function setCookie(name,value,time) {var strsec = getsec(time); var exp = new Date(); exp.setTime(exp.getTime() + strsec*1); document.cookie = name + "="+ escape (value) + "; expires=" + exp.toGMTString(); } function getsec(str) { alert(str); var str1=str.substring(1,str.length)*1; Var str2 = STR. The substring (0, 1); if (str2=="s") { return str1*1000; } else if (str2=="h") { return str1*60*60*1000; } else if (str2=="d") { return str1*24*60*60*1000; }} setCookie("name"," Hayden ","s20");}} setCookie("name"," Hayden ","s20");}} setCookie("name"," Hayden ","s20");