HTTP cookie端口是否具体? [英] Are HTTP cookies port specific?
问题描述
我有两台HTTP服务在一台机器上运行。
I have two HTTP services running on one machine. I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets.
推荐答案
目前的Cookie规格是 RFC 6265 ,它取代 RFC 2109 和 RFC 2965 (两个RFC现在都标记为历史),并将语法形式化为真实世界各地的饼干使用。它清楚地说明:
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as "Historic") and formalizes the syntax for real-world usages of cookies. It clearly states:
- 简介
...
由于历史原因,Cookie包含大量安全和隐私权限。例如,服务器可以指示给定的cookie旨在用于安全连接,但是在存在活动网络攻击者的情况下,安全属性不提供完整性。 类似地,即使网络浏览器使用的通常的同源策略隔离通过不同端口检索的内容,给定主机的Cookie也会在该主机的所有端口上共享。
For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.
还可以:
弱保密性
8.5. Weak Confidentiality
Cookie不提供端口隔离。如果一个端口上运行的服务可以读取cookie,那么该cookie也可以由在同一服务器的另一个端口上运行的服务读取。如果一个端口上的服务可以写入cookie,则该cookie也可以由在同一服务器的另一个端口上运行的服务写入。因此,服务器不应在同一主机的不同端口上运行相互不信任的服务,并使用cookie来存储安全敏感信息。
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security sensitive information.
这篇关于HTTP cookie端口是否具体?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
