recitation4 notes


Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ften) erased, people have multiple machines. 1 Warning: Cookies are sent with every request to the server! As a web developer, you should avoid storing large amounts of data inside cookies. Cookies are limited to 4kb in size. Setting Cookies Typically, cookies are set in an HTTP response to the browser -- the server can specify in the header that a certain cookie should be set. (Note, cookies may also be set by Javascript: document.cookie = “key = value”) An HTTP response header may look like this: HTTP/1.1 200 OK Content-type: text/html Set-Cookie: name=value Set-Cookie: name2=value2; Expires=Wed, 09-Jun-2021 10:18:14 GMT The “Set-Cookie” directive tells the browser to create a cookie with that key and value, and to send that cookie back on future requests. E.g. a future request from the site to the server might be: GET /spec.html HTTP/1.1 Host: Cookie: name=value; name2=value2 Accept: */* Along with key-value pairs, the server can also set cookie attributes. These attributes tell the browser when to send the key-value pairs back. (Cookie attributes themselves are not sent back to the server.) Cookie attributes ● Domain and Path ○ Tells the browser that the cookie should only be sent back for the given domain and path ● Expires and Max-Age ○ Tells the browser when to delete the cookie ■ Expires: provide a date ■ Max-Age: provide a number of seconds to persist ○ If neither are specified, the default is that it will be deleted by the browser after the user closes the browser. ● Secure and HttpOnly ○ These are binary attributes -- either present or not. They don’t have an associated value. ○ Secure: tells browsers only to use the cookie under secure/encrypted connections 2 ○ HttpOnly: tells browsers to only use cookies via the HTTP protocol -- e.g. don’t allow Javascript to modify cookies. (This attribute is used extensively by Facebook and Google to prevent some security vulnerabilities which we won’t get into yet.) For example: Set-Cookie: HSID=AYQEVn….DKrdst; Do...
View Full Document

This document was uploaded on 03/18/2014 for the course EECS 6.170 at MIT.

Ask a homework question - tutors are online