关于RFC2109

上一篇 / 下一篇  2010-06-16 23:05:33

查看( 612 ) / 评论( 0 ) / 评分( 0 / 0 )

1.abstract
主要讲了Cookie和Set—Cookie,他们是保持用户和服务器间通话状态的。
2.The origin server effectively ends a session by    sending the client a Set-Cookie header with Max-Age=0.
   The syntax for the Set-Cookie response header is

   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1#cookie
   cookie          =       NAME "=" VALUE *(";" cookie-av)
   NAME            =       attr
   VALUE           =       value
   cookie-av       =       "Comment" "=" value
                   |       "Domain" "=" value
                   |       "Max-Age" "=" value
                   |       "Path" "=" value
                   |       "Secure"
                   |       "Version" "=" 1*DIGIT


3.Comment=comment
      Optional. Because cookies can contain private information about a
      user, the Cookie attribute allows an origin server to document its
      intended use of a cookie. The user can inspect the information to
      decide whether to initiate or continue a session with this cookie.

    因为Cookie包含用户的私人信息,这个属性表示服务器是不是要用Cookie,用户可以查看这个属性来确定是是不是用Cookie来使用session

4. Domain=domain
      Optional. The Domain attribute specifies the domain for which the
      cookie is valid. An explicitly specified domain must always start
      with a dot.
     Domain属性描述了那个域名对Cookie是有效的,一个明确描述域名的是一个“.”开始的。

5.
   Max-Age=delta-seconds
      Optional. The Max-Age attribute defines the lifetime of the
      cookie, in seconds. The delta-seconds value is a decimal non-
      negative integer. After delta-seconds seconds elapse, the client
      should discard the cookie. A value of zero means the cookie
      should be discarded immediately.

      Max-age属性表示Cookie的生存时间,值是十进制非负整数。当时间到了以后,客户端会立刻丢弃Cookie,如果值是0表示Cookie必须马上丢弃。

6. Path=path
      Optional. The Path attribute specifies the subset of URLs to
      which this cookie applies.
     path属性是应用Cookieurl的子集。

7.   Secure
      Optional. The Secure attribute (with no value) directs the user
      agent to use only (unspecified) secure means to contact the origin
      server whenever it sends back this cookie.

     The user agent (possibly under the user's control) may determine
      what level of security it considers appropriate for "secure"
      cookies. The Secure attribute should be considered security
      advice from the server to the user agent, indicating that it is in
      the session's interest to protect the cookie contents.



      secure属性(没有值)是有urser agent使用没有定义好的一个值来和服务器联系,然后服务器会返回这个值。


8. Version=version
      Required. The Version attribute, a decimal integer, identifies to
      which version of the state management specification the cookie
      conforms. For this specification, Version=1 applies.

9. The origin server should send the following additional HTTP/1.1   response headers, depending on circumstances:

   * To suppress caching of the Set-Cookie header: Cache-control: no-cache="set-cookie".

   and one of the following:

   * To suppress caching of a private document in shared caches: Cache-control: private.

   * To allow caching of a document and require that it be validated before returning it to the client: Cache-control: must-revalidate.

   * To allow caching of a document, but to require that proxy caches   (not user agent caches) validate it before returning it to the
     client: Cache-control: proxy-revalidate.

   * To allow caching of a document and request that it be validated before returning it to the client (by "pre-expiring" it):
     Cache-control: max-age=0. Not all caches will revalidate the document in every case.

     当Cook是不是共享Cookie时,有以上几种验证的情况

10.关于Cookie参数的说明
   
   Version:Defaults to "old cookie" behavior. as originally specified by
          Netscape. See the HISTORICAL section.

   Domain: Defaults to the request-host. (Note that there is no dot at
          the beginning of request-host.)

   Max-Age: The default behavior. is to discard the cookie when the user
          agent exits.

   Path:   Defaults to the path of the request URL that generated the
          Set-Cookie response, up to, but not including, the
          right-most /.

   Secure: If absent, the user agent may send the cookie over an
          insecure channel.

11. Rejecting Cookies(Cookie拒绝)
To prevent possible security or privacy violations, a user agent   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.

   * The value for the Domain attribute contains no embedded dots or
     does not start with a dot.

   * The value for the request-host does not domain-match the Domain
     attribute.

   * The request-host is a FQDN (not IP address) and has the form. HD,
     where D is the value of the Domain attribute, and H is a string
     that contains one or more dots.

   Examples:

   * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
     would be rejected, because H is y.x and contains a dot.


   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

   * A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

   * A Set-Cookie with Domain=ajax.com will be rejected because the
     value for Domain does not begin with a dot.

12.   Sending Cookies to the Origin Server

   When it sends a request to an origin server, the user agent sends a   Cookie request header to the origin server if it has cookies that are
   applicable to the request, based on

   * the request-host;

   * the request-URI;

   * the cookie's age.

   The syntax for the header is:

   cookie          =       "Cookie:" cookie-version
                           1*((";" | ",") cookie-value)
   cookie-value    =       NAME "=" VALUE [";" path] [";" domain]
   cookie-version =       "$Version" "=" value
   NAME            =       attr
   VALUE           =       value
   path            =       "$Path" "=" value
   domain          =       "$Domain" "=" value


   13. Implementation Limits
Furthermore, general-use   user agents should provide each of the following minimum capabilities   individually, although not necessarily simultaneously:
      * at least 300 cookies

      * at least 4096 bytes per cookie (as measured by the size of the
        characters that comprise the cookie non-terminal in the syntax
        description of the Set-Cookie header)

      * at least 20 cookies per unique host or domain name

   User agents created for specific purposes or for limited-capacity
   devices should provide at least 20 cookies of 4096 bytes, to ensure
   that the user can interact with a session-based origin server.


14 Protocol Design
We consider it acceptable for hosts host1.foo.com and host2.foo.com to share cookies, but not a.com and b.com.
不能跨域使用Cookie

收藏 举报

TAG:

 

评分:0

我来说两句

日历

« 2024-05-04  
   1234
567891011
12131415161718
19202122232425
262728293031 

数据统计

  • 访问量: 2159
  • 日志数: 4
  • 建立时间: 2009-01-07
  • 更新时间: 2010-06-16

RSS订阅

Open Toolbar