不想看经过的同学直接最底下看总结
1.问题解决入口,查看源码
想要了解一样事物,就要看他的本质,一层一层的剥析,就是说看他的源码
基本的使用如下,那这些参数的含义是什么呢,具体的解释在哪,内部肯定有体现,于是就F12进入
SetCookie func(name string, value string, maxAge int, path string, domain string, secure bool, httpOnly bool)
example:
context.SetCookie("user_cookie", string(u.Id), 1000, "/", "localhost", false, true)
2.进来后发现了,这里定义了一个http.Cookie的对象,将这些值传入,继续向下看他这个对象的细节
image.png
进入Cookie对象后,有一些基本的解释,但是不全面,这里他给除了细节文档的地址,进入看一下。
地址链接:https://tools.ietf.org/html/rfc6265
image.png
进来之后,就是一些基本的cookie介绍,信息很全面。对于这些参数的解释,在大约第10页4.1.2.1目录开始,每一个小目录就是对应的一个参数的信息。
image.png
···········
摘录信息如下
4.1.2.1. The Expires Attribute
The Expires attribute indicates the maximum lifetime of the cookie,
represented as the date and time at which the cookie expires. The
user agent is not required to retain the cookie until the specified
date has passed. In fact, user agents often evict cookies due to
memory pressure or privacy concerns.
4.1.2.2. The Max-Age Attribute
The Max-Age attribute indicates the maximum lifetime of the cookie,
represented as the number of seconds until the cookie expires. The
user agent is not required to retain the cookie for the specified
duration. In fact, user agents often evict cookies due to memory
pressure or privacy concerns.
NOTE: Some existing user agents do not support the Max-Age
attribute. User agents that do not support the Max-Age attribute
ignore the attribute.
If a cookie has both the Max-Age and the Expires attribute, the Max-
Age attribute has precedence and controls the expiration date of the
cookie. If a cookie has neither the Max-Age nor the Expires
attribute, the user agent will retain the cookie until "the current
session is over" (as defined by the user agent).
4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is
"example.com", the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and
www.corp.example.com. (Note that a leading %x2E ("."), if present,
is ignored even though that character is not permitted, but a
trailing %x2E ("."), if present, will cause the user agent to ignore
the attribute.) If the server omits the Domain attribute, the user
agent will return the cookie only to the origin server.
WARNING: Some existing user agents treat an absent Domain
attribute as if the Domain attribute were present and contained
the current host name. For example, if example.com returns a Set-
Cookie header without a Domain attribute, these user agents will
erroneously send the cookie to www.example.com as well.
The user agent will reject cookies unless the Domain attribute
specifies a scope for the cookie that would include the origin
server. For example, the user agent will accept a cookie with a
Domain attribute of "example.com" or of "foo.example.com" from
foo.example.com, but the user agent will not accept a cookie with a
Domain attribute of "bar.example.com" or of "baz.foo.example.com".
NOTE: For security reasons, many user agents are configured to reject
Domain attributes that correspond to "public suffixes". For example,
some user agents will reject Domain attributes of "com" or "co.uk".
(See Section 5.3 for more information.)
4.1.2.4. The Path Attribute
The scope of each cookie is limited to a set of paths, controlled by
the Path attribute. If the server omits the Path attribute, the user
agent will use the "directory" of the request-uri's path component as
the default value. (See Section 5.1.4 for more details.)
The user agent will include the cookie in an HTTP request only if the
path portion of the request-uri matches (or is a subdirectory of) the
cookie's Path attribute, where the %x2F ("/") character is
interpreted as a directory separator.
Although seemingly useful for isolating cookies between different
paths within a given host, the Path attribute cannot be relied upon
for security (see Section 8).
4.1.2.5. The Secure Attribute
The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a
secure channel (typically HTTP over Transport Layer Security (TLS)
[[RFC2818](https://tools.ietf.org/html/rfc2818 ""HTTP Over TLS"")]).
Although seemingly useful for protecting cookies from active network
attackers, the Secure attribute protects only the cookie's
confidentiality. An active network attacker can overwrite Secure
cookies from an insecure channel, disrupting their integrity (see
Section 8.6 for more details).
4.1.2.6. The HttpOnly Attribute
The HttpOnly attribute limits the scope of the cookie to HTTP
requests. In particular, the attribute instructs the user agent to
omit the cookie when providing access to cookies via "non-HTTP" APIs
(such as a web browser API that exposes cookies to scripts).
Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure
attribute.
总结
这里来大致介绍一下这些参数的作用
第一个参数name 为 cookie 名;
第二个参数value 为 cookie 值;
第三个参数maxAge 为 cookie 有效时长,当 cookie 存在的时间超过设定时间时,cookie 就会失效,它就不再是我们有效的 cookie,他的时间单位是秒second;
第四个参数path 为 cookie 所在的目录;
第五个domain 为所在域,表示我们的 cookie 作用范围,里面可以是localhost也可以是你的域名,看自己情况;
第六个secure 表示是否只能通过 https 访问,为true只能是https;
第七个httpOnly 表示 cookie 是否可以通过 js代码进行操作,为true时不能被js获取
网友评论