Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

HTTP cookies

这篇文章需要文法复核。如何帮忙。

这篇翻译不完整。请帮忙从英语翻译这篇文章

History, motivating use cases

在早期的web发展阶段,一个服务器是没有办法知道前后两个请求是否是来自同一个浏览器的。但是由于这种机制不允许一个实例保持一个用户已经登陆的状态,这种机制被认为是一个局限(limitaion)。这个明显的局限使网景公司(Netscape)在第一版的网景浏览器(Netscape Navigator)上装备了"cookies"这一技术。"cookies"很快被广大web开发者接受,并被其他浏览器效仿。

随着document.cookie的引入,web开发者们很快地开始用cookies作为一种客户端的存储方式。

Basics of cookies

关于cookies是如何工作的,标准定义在 RFC 6265。当接收到一个HTTP请求时,一个服务器可以在HTTP返回(response)中发送一个 Set-Cookie HTTP头部(header)。然后,这个cookie的值就会跟随每个对于同一服务器的请求,以HTTP请求中的 Cookie 头部(header)发送出去。 另外,对于每个cookie,可以指定一个过期时限。还可以限制cookie相对于的具体域名和路径。

Critics, alternatives

与REST结构风格不兼容(Incompatibility with the REST architectural style)

在关于REST定义的论文中In the dissertation where he defines REST, Roy Fielding says about cookies:

An example of where an inappropriate extension has been made to the protocol to support features that contradict the desired properties of the generic interface is the introduction of site-wide state information in the form of HTTP cookies. Cookie interaction fails to match REST's model of application state, often resulting in confusion for the typical browser application. (...) The problem is that a cookie is defined as being attached to any future requests for a given set of resource identifiers, usually encompassing an entire site, rather than being associated with the particular application state (the set of currently rendered representations) on the browser. When the browser's history functionality (the "Back" button) is subsequently used to back-up to a view prior to that reflected by the cookie, the browser's application state no longer matches the stored state represented within the cookie. Therefore, the next request sent to the same server will contain a cookie that misrepresents the current application context, leading to confusion on both sides. (...) As a result, cookie-based applications on the Web will never be reliable. The same functionality should have been accomplished via anonymous authentication and true client-side state. A state mechanism that involves preferences can be more efficiently implemented using judicious use of context-setting URI rather than cookies, where judicious means one URI per state rather than an unbounded number of URI due to the embedding of a user-id. Likewise, the use of cookies to identify a user-specific "shopping basket" within a server-side database could be more efficiently implemented by defining the semantics of shopping items within the hypermedia data formats, allowing the user agent to select and store those items within their own client-side shopping basket, complete with a URI to be used for check-out when the client is ready to purchase.

Cookies 被用作客户端存储(Cookies used as client-side storage)

Cookies 曾经被用作一种客户端的存储方式。在没有其他在客户端存储数据方式的年代,这个用途被认为是合理的。直到2012年,据估计世界范围内有90%的用户已经在用支持 local storage API 的浏览器,用cookie作为客户端存储的方法不再合适。因为cookies 会跟随着每个发送出去的请求,这是一个额外的性能负担,尤其针对移动端(mobile web)

安全(Security)

由于cookies在应用中经常被用于识别一个用户,因此cookies被盗即意味着在该应用中,用户身份被盗。

而且,与HTTP头部(header) Referer (sic) 组合使用时,cookies允许用户追踪(cookies allow user tracking)。

Web keys

When using cookies, a resource (the "R" in "URL") is defined (and generated on the server-side) by the URL and the cookie. In this case, the cookie is used as a secret shared between the client and the server (and hopefully no one else). In a paper, Tyler Close suggests to put the secret directly in the URL (hence called "web keys") and answers to common concerns that could come along with this decision.

See also

文档标签和贡献者

 此页面的贡献者: charlie
 最后编辑者: charlie,