Cookie
*복습 자료라서 뻔한 내용은 생략
Summary.
0. Set-Cookie 등으로 서버에서 Cookie 설정해주면 이후 Client 요청 모두 해당 Cookie가 포함됨 (*이를 활용해 Session 관리, 등)
1. An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user's web browser. The browser may store the cookie and send it back to the same server with later requests. Typically, an HTTP cookie is used to tell if two requests come from the same browser—keeping a user logged in, for example. It remembers stateful information for the stateless HTTP protocol.
+ *modern storage APIs are now recommended
2. 쿠키 사용 예시
+ Session management
+ Logins, shopping carts, game scores, or anything else the server should remember
+ Personalization
+ User preferences, themes, and other settings
+ Tracking
+ Recording and analyzing user behavior
3. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections)
4. After receiving an HTTP request, a server can send one or more Set-Cookie headers with the response. The browser usually stores the cookie and sends it with requests made to the same server inside a Cookie HTTP header. You can specify an expiration date or time period after which the cookie shouldn't be sent. You can also set additional restrictions to a specific domain and path to limit where the cookie is sent.
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry
[page content]+ Then, with every subsequent request to the server, the browser sends all previously stored cookies back using the Cookie header
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=choco; tasty_cookie=strawberry
5. 쿠키 Lifetime 2종류
- Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.
- Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
6. SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests (where Site is defined by the registrable domain and the scheme: http or https). This provides some protection against cross-site request forgery attacks (CSRF). It takes three possible values: Strict, Lax, and None
+ Strict: cookie is only sent to the site where it originated
+ Lax: (Strict와 비슷) cookies are sent when the user navigates to the cookie's origin site. For example, by following a link from an external site
+ None: cookies are sent on both originating and cross-site requests, but only in secure contexts (i.e., if SameSite=None then the Secure attribute must also be set)
+ If no SameSite attribute is set, the cookie is treated as Lax
Set-Cookie: mykey=myvalue; SameSite=Strict
7. Domain and Path attributes define what URLs the cookies should be sent to.
+ The Domain attribute specifies which hosts can receive a cookie. If unspecified, the attribute defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included.
+ The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories match as well.
Domain=mozilla.org // includes all subdomains like developer.mozilla.orgPath=/docs
/docs
/docs/
/docs/Web/
/docs/Web/HTTP
8. Secure, HttpOnly attribute
+ Secure: Insecure sites (with http: in the URL) can't set cookies with the Secure attribute (HTTPS로 Man In the Middle Attack 방지. 하지만 harddisk 직접 접근 혹은 javascript로 접근 위험)
+ A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API (어차피 서버에서 관리하는 값이니까 Client에서 접근할 필요 없음. XSS 공격 방지에 도움됨)
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
9. Cookie Prefixes (어디서 쿠키가 설정/변경 됐는지 알 수 없으므로 처음 설정 시부터 제약을 가함)
+ 예를들어, 다른 SubDomain 에서도 쿠키 변경이 가능한데 이는 Session Fixation Attack 위험이 있음
+ __Host-
+ If a cookie name has this prefix, it's accepted in a Set-Cookie header only if it's also marked with the Secure attribute, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /. This way, these cookies can be seen as "domain-locked".
+ __Secure-
+ If a cookie name has this prefix, it's accepted in a Set-Cookie header only if it's marked with the Secure attribute and was sent from a secure origin. This is weaker than the __Host- prefix.
+ The browser will reject cookies with these prefixes that don't comply with their restrictions
10. Tracking & Privacy -> 3rd party cookies
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#third-party_cookies
+ More structured and larger amounts of data can be stored using the IndexedDB API
Additional.
1. To see stored cookies (and other storage a web page can use), you can enable the Storage Inspector in Developer Tools and select Cookies from the storage tree
2. Cookie Regulation 관련 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie-related_regulations)
3. document.cookie 로 현재 cookie 살펴볼 수 있지만 (*HttpOnly 설정 안돼있을 경우), XSS 공격으로 탈취당할 수 있음
4. 최신 Browser에서 SameSite 기본설정 바뀜
- SameSite=Lax is the new default if SameSite isn't specified. Previously, cookies were sent for all requests by default.
- Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context).
- Cookies from the same domain are no longer considered to be from the same site if sent using a different scheme (http: or https:).