12 Ekim 2017 Perşembe

Cookie Sınıfı

Giriş
Açıklaması şöyle
Keep in mind that a cookie is actually defined by the tuple of it's name, path, and domain. 
Cookie Http Session için kullanılabilir. Açıklaması şöyle
In fact HTTP sessions are usually implemented using cookies.
Cookie'ler siteler tarafından insanları takip etmek için sıkça kullanılan bir yöntem.

Cookie'nin Değiştirilmesi
Açıklaması şöyle
I think the other answers fail to address the primary attack which is being protected against here, which is not forging the cookie, but tampering with it, or inspecting it.

If you send a cookie to a browser saying "current_user=tom", the user can send you back an alternative cookie saying "current_user=dave". If you have nothing to validate the cookie against, your application will assume they are logged in as "dave".

This could be mitigated by signing the cookie using a secret key - the tampered cookie would not have the correct signature, so would be rejected.

However, there may still be a problem: if part of the state you want to store is secret. For instance, you might want to store the cost price and markup of the products in the user's basket; clearly a plaintext cookie that the user can read is not appropriate here.

This leaves you with two solutions:

  - Encrypt the contents of the cookie, so that it can be neither read nor amended without knowing the private key.
  - Store the actual data locally (e.g. in a disk or memory store) and send only an identifier in the cookie. This is generally known as "session data".
İmzalı Cookie
Açıklaması şöyle
Cookies are not secure and can easily be modified by clients. If you need to set cookies to, e.g., identify the currently logged in user, you need to sign your cookies to prevent forgery. ...
Signed cookies contain the encoded value of the cookie in addition to a timestamp and an HMAC signature. 
constructor
Şöyle yaparız.
String strCookieName = ...;
Cookie cookie = new Cookie(strCookieName, "");
setComment metodu
Şöyle yaparız.
cookie.setComment("...");
setDomain metodu
Şöyle yaparız.
cookie.setDomain("...");
setMaxAge metodu
Açıklaması şöyle
A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits. A zero value causes the cookie to be deleted.
Silmek için şöyle yaparız.
cookie.setMaxAge(0);
setPath metodu
Şöyle yaparız.
cookie.setPath("/");
Şöyle yaparız.
String strPath = ...;
cookie.setPath(strPath);
setValue metodu
Şöyle yaparız.
cookie.setValue("");


Hiç yorum yok:

Yorum Gönder