I would like to know what is a host only cookie.
While retrieving a form auth, browser gets in the headers a JSESSIONID cookie shown as host only.
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
First of all, it is not possible for foo.com to set a cookie that can be read by bar.com. Host-only only protects example.com cookies from being read by bar.example.com.
From RFC 6265 regarding setting a cookie and its Domain attribute:
If the domain-attribute is non-empty: If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps. Otherwise: Set the cookie's host-only-flag to false. Set the cookie's domain to the domain-attribute. Otherwise: Set the cookie's host-only-flag to true. Set the cookie's domain to the canonicalized request-host.
What this means
The above can be summed up by "Host-only is the default". That is, if Domain is not specified, the cookie can only be read by the exact domain that has set the cookie. This can be loosened by setting the Domain attribute when setting a cookie.
For example, if the cookie is set by www.example.com and the Domain attribute is not specified, the cookie will be set with domain www.example.com and the cookie will be a host only cookie.
Another example: If the cookie is set by www.example.com and the Domain attribute is specified as example.com (so the cookie will be sent to foo.example.com too), the cookie will be set with domain example.com (or possibly .example.com by some browsers that use the dot from the previous RFC 2109 to denote not host-only) and the cookie will not be a host only cookie.
Sending of cookies is covered in section 5.4 regarding the when the cookie header is sent by the browser:
The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain. Or: The cookie's host-only-flag is false and the canonicalized request-host domain-matches the cookie's domain.
So a cookie with domain foo.example.com and host-only as false is sent to example.com . If host-only is true, the foo.example.com is sent to foo.example.com only.
回答2:
Host Only cookie means that the cookie should be handled by the browser to the server only to the same host/server that firstly sent it to the browser.
You don't want to send this host only cookie for ad campaigns, as it might contain sensitive information.
回答3:
The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.
http://tools.ietf.org/html/rfc6265#section-5.4
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 聊天终结者 的文章《What is a host only cookie?》','https://www.manongdao.com/article-217496.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}