浏览器 cookie 域如何工作? [英] How do browser cookie domains work?

问题描述

由于我遇到了奇怪的域/子域 cookie 问题，我想知道浏览器如何处理 cookie.如果他们以不同的方式来做，也很高兴知道其中的差异.

Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences.

换句话说 - 当浏览器接收到一个 cookie 时，该 cookie 可能有一个域和一个附加到它的路径.或者不，在这种情况下，浏览器可能会用一些默认值代替它们.问题 1:它们是什么?

In other words - when a browser receives a cookie, that cookie MAY have a domain and a path attached to it. Or not, in which case the browser probably substitutes some defaults for them. Question 1: what are they?

稍后，当浏览器将要发出请求时，它会检查其 cookie 并过滤掉它应该为该请求发送的 cookie.它通过将它们与请求路径和域进行匹配来实现.问题2:匹配规则是什么?

---

添加:

Later, when the browser is about to make a request, it checks its cookies and filters out the ones it should send for that request. It does so by matching them against the requests path and domain. Question 2: what are the matching rules?

---

Added:

我问这个的原因是因为我对一些边缘情况感兴趣.喜欢:

The reason I'm asking this is because I'm interested in some edge cases. Like:

• .example.com 的 cookie 是否可用于 www.example.com?
• .example.com 的 cookie 是否可用于 example.com?
• example.com 的 cookie 是否可用于 www.example.com?
• example.com 的 cookie 是否可用于 anotherexample.com?
• www.example.com 可以为 example.com 设置 cookie 吗?
• www.example.com 可以为 www2.example.com 设置 cookie 吗?
• www.example.com 可以为 .com 设置 cookie 吗?
• 等

• Will a cookie for .example.com be available for www.example.com?
• Will a cookie for .example.com be available for example.com?
• Will a cookie for example.com be available for www.example.com?
• Will a cookie for example.com be available for anotherexample.com?
• Will www.example.com be able to set cookie for example.com?
• Will www.example.com be able to set cookie for www2.example.com?
• Will www.example.com be able to set cookie for .com?
• Etc.

添加了 2 个:

另外，有人可以建议我应该如何设置 cookie，以便:

Also, could someone suggest how I should set a cookie so that:

• 可以通过www.example.com 或example.com 设置；
• www.example.com 和 example.com 均可访问.

• It can be set by either www.example.com or example.com;
• It is accessible by both www.example.com and example.com.

推荐答案

虽然有 RFC2965(Set-Cookie2，已经过时了 RFC 2109) 现在应该定义 cookie，大多数浏览器并不完全支持它，而只是遵守 Netscape 的原始规范.

Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape.

Domain 属性值和有效域是有区别的:前者取自 Set-Cookie 头域，后者是对那个的解释属性值.根据 RFC 2965，以下内容应适用:

There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field and the latter is the interpretation of that attribute value. According to the RFC 2965, the following should apply:

• 如果 Set-Cookie 标头字段没有具有 Domain 属性，则有效域是请求的域.莉>
• 如果存在 Domain 属性，则其值将用作有效域(如果该值不以 开头. 将由客户端添加).

• If the Set-Cookie header field does not have a Domain attribute, the effective domain is the domain of the request.
• If there is a Domain attribute present, its value will be used as effective domain (if the value does not start with a . it will be added by the client).

拥有有效域名还必须域名匹配 当前请求设置的域；否则cookie将被修改.同样的规则适用于选择要在请求中发送的 cookie.

Having the effective domain it must also domain-match the current requested domain for being set; otherwise the cookie will be revised. The same rule applies for choosing the cookies to be sent in a request.

将这些知识映射到您的问题上，以下内容应适用:

Mapping this knowledge onto your questions, the following should apply:

• 带有 Domain=.example.com 的 Cookie 将可用于www.example.com
• 带有 Domain=.example.com 的 Cookie 将可用于 example.com
• 带有Domain=example.com 的Cookie 将被转换为.example.com，因此将也可用于www.example.com
• 带有 Domain=example.com 的 Cookie 将不可用于 anotherexample.com
• www.example.com 将能够为 example.com
设置 cookie
• www.example.com不会能够为 www2.example.com
设置 cookie
• www.example.com不会能够为 .com
设置 cookie

• Cookie with Domain=.example.com will be available for www.example.com
• Cookie with Domain=.example.com will be available for example.com
• Cookie with Domain=example.com will be converted to .example.com and thus will also be available for www.example.com
• Cookie with Domain=example.com will not be available for anotherexample.com
• www.example.com will be able to set cookie for example.com
• www.example.com will not be able to set cookie for www2.example.com
• www.example.com will not be able to set cookie for .com

并为 www.example.com 和 example.com，分别设置为 .www.example.com 和 .example.com.但是第一个 (.www.example.com) 只能被该域以下的其他域访问(例如 foo.www.example.com 或 bar.www.example.com)，其中 .example.com 也可以被 example.com 下的任何其他域访问(例如 foo.example.com 或 bar.example.com).

And to set and read a cookie for/by www.example.com and example.com, set it for .www.example.com and .example.com respectively. But the first (.www.example.com) will only be accessible for other domains below that domain (e.g. foo.www.example.com or bar.www.example.com) where .example.com can also be accessed by any other domain below example.com (e.g. foo.example.com or bar.example.com).

这篇关于浏览器 cookie 域如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！