浏览器如何知道在请求时要发送到服务器的Cookie? [英] How browsers know what cookies to send to server when requesting?
问题描述
我知道cookie是如何工作的,刚刚开始挖掘为什么Codeigniter不会在SESSION中存储生成的csrf令牌,它只存储在cookie中。关心安全,我开始考虑php setcookie()函数params如路径和域。我问自己可以设置'evil_cookie'与另一个域的路径='/'和域='www.goodsite.com',从一些www.evilsite.com?另一个问题是,当执行www.goodsite.com的请求时,是否会将evil_cookie发送到www.goodsite.com?
一个测试。我创建了'set_cookie.php'文件并上传到一些'www.evilsite.com':
setcookie evil_cookie','gotcha',time()+ 60 * 30,'/','www.goodsite.com');
我使用Firefox和Firebug + Cookie插件来查看发送和接收的Cookie。所以,我收到'evil_cookie'后请求www.evilsite.com/set_cookie.php。但是,cookie没有保存(至少没有这样的cookie,当查看在firebug cookie插件面板)。也不是在再次请求www.evilsite.com/set_cookie.php时发送的。刚刚收到但没有保存。
从Firefox浏览器的角度来看,仅为当前域保存Cookie是合乎逻辑和安全的。 IMHO这些设置cookie()params如路径和域主要用于管理当前域及其子域的cookie,但不用于外部域。我有点不高兴,我无法在 php.net 上找到相关信息,所以我不知道这是一个浏览器相关的行为和具体如何处理第三方cookie或者它更多的标准?所有浏览器的行为是否相同?如果有这样的语句的任何坚实可靠的来源,请分享。
这也与另一个使用cookie相关 - 存储会话数据(不使用PHP本地会话,例如Codeigniter这样做)。所以,如果所有的浏览器不允许安全cookie与其他当前域,那么没关系。但是,它不能保护免受CSRF,因为www.evilsite.com可能包含邪恶的javascript代码,将直接在客户端创建evil_cookie,当用户将执行和从www.evilsite.com获取请求。 / p>
[...]可以使用path ='/'设置'evil_cookie' domain ='www.goodsite.com'from another domain,from some'www.evilsite.com'?
否,用户代理应忽略具有域属性的 Set-Cookie rel =nofollow> domain-match 当前请求的域:
用户代理将拒绝Cookie attribute
指定包含origin
服务器的cookie的范围。例如,用户代理将接受具有
Domain属性example.com或者来自
foo.example.com的foo.example.com的cookie,但用户代理不会接受具有
Domain属性bar.example.com或baz.foo.example.com的Cookie。
这些cookie甚至不会被用户代理接受。
I know how the cookies work, just started to dig why Codeigniter does not store generated csrf token in SESSION, it just store in cookie. Concerned about security, I'v started to think about php setcookie() function params such as path and domain. And I have asked myself is it possible to set 'evil_cookie' with a path='/' and domain = 'www.goodsite.com' from another domain, from some 'www.evilsite.com'? And another question is, will 'evil_cookie' be sent to 'www.goodsite.com' when performing request to 'www.goodsite.com'?
So, I did a test. I'v created 'set_cookie.php' file and uploaded it to some 'www.evilsite.com':
setcookie('evil_cookie', 'gotcha', time() + 60 * 30, '/', 'www.goodsite.com');
I was using Firefox and Firebug + Cookie plugins for viewing sent and received cookies. So, I did receive 'evil_cookie' after the request to 'www.evilsite.com/set_cookie.php'. However, the cookie was not saved (at least there was no such cookie when viewing in firebug cookie plugin panel). Nor it was sent when requesting again to "www.evilsite.com/set_cookie.php". Just received but not saved.
From the Firefox browser point of view, it's logical and secure to save cookie for current domain only. IMHO those set cookie() params such as path and domain are primarily for managing cookies for current domain and its subdomains but not for external domains. I was a little bit upset I was unable to find related info on php.net, so I'm not sure is it a browser related behavior and specifics how it deals with "3rd party cookies" or it's more a standard? Does all browsers behave the same? If there's any solid and reliable source for such statements please share.
That is also relevant to another use of cookies - store session data (without using PHP native sessions, for example Codeigniter does so). So, if all browsers do not allow to safe cookie with other than current domain then It's OK. However, it does not protect from CSRF as 'www.evilsite.com' might contain evil javascript code that will create 'evil_cookie' directly on the client when a user will perform and get a request from 'www.evilsite.com'.
[…] is it possible to set 'evil_cookie' with a path='/' and domain = 'www.goodsite.com' from another domain, from some 'www.evilsite.com'?
No, user agents should ignore Set-Cookie directives with Domain attributes that do not domain-match the current requested domain:
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".
Such cookies would not even be accepted by user agents. Similar applies to the Path and Secure attributes.
See also How do browser cookie domains work? for examples of how the Domain attribute values are interpreted by user agents.
这篇关于浏览器如何知道在请求时要发送到服务器的Cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
