双重cookie 原来cookie是在哪的?为什么双重cookie就可以解决csrf?

要是两个不同网站都要cookie，怎么动态设置请求头?

cookie是每次请求都会发送给服务器吗?不会，因为服务器设置cookie时会指定其domain和path，只有请求相应的域时才会带上cookie

cookie设置httponly有什么用？可以用来防止csrf吗？//禁止js访问cookie，不能

HttpOnly防止脚本读取，SameSite防止跨站攻击，Secure是Https加密传输用的

弊端

-基于cookie的机制很容易被CSRF

-cookie + session在跨域场景表现并不好

-查询session信息可能会有数据库查询操作

-如果是分布式部署，需要做多机共享session机制，实现方法可将session存储到数据库中或者redis中

reference: MDN

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Cookies are mainly used for three purposes:

Session management

Logins, shopping carts, game scores, or anything else the server should remember

Personalization

User preferences, themes, and other settings

Tracking

Recording and analyzing user behavior

Cookies were once used for general client-side storage. While this was legitimate when they were the only way to store data on the client, it is recommended nowadays to prefer modern storage APIs. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web storage API (localStorage and sessionStorage) and IndexedDB.

Creating cookies

When receiving an HTTP request, a server can send a Set-Cookie header with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a Cookie HTTP header. An expiration date or duration can be specified, after which the cookie is no longer sent. Additionally, restrictions to a specific domain and path can be set, limiting where the cookie is sent.

The Set-Cookie and Cookie headers

The Set-Cookie HTTP response header sends cookies from the server to the user agent. A simple cookie is set like this:

Set-Cookie: <cookie-name>=<cookie-value>

Session cookies: Expires or Max-Age

The cookie created above is a session cookie: it is deleted when the client shuts down, because it didn't specify an Expires or Max-Age directive. However, web browsers may use session restoring, which makes most session cookies permanent, as if the browser was never closed.

若不设置过期时间，则表示这个cookie的生命期为浏览器会话期间，关闭浏览器窗口cookie就消失。这种生命期为浏览器会话期的cookie被称为会话cookie。会话cookie一般不存储在硬盘上而是保存在内存里，当然这种行为并不是规范规定的。

若设置了过期时间，浏览器就会把cookie保存到硬盘上，关闭后再次打开浏览器，这些cookie仍然有效直到超过设定的过期时间。存储在硬盘上的cookie可以在不同的浏览器进程间共享，比如两个IE窗口。而对于保存在内存里的cookie，不同的浏览器有不同的处理方式。

Permanent cookies

Instead of expiring when the client closes, permanent cookies expire at a specific date (Expires) or after a specific length of time (Max-Age).

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT;

Note: When an expiry date is set, the time and date set is relative to the client the cookie is being set on, not the server.

Secure and HttpOnly cookies

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection. Starting with Chrome 52 and Firefox 52, insecure sites (http:) can't set cookies with the Secure directive.

To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly

Scope of cookies

The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.

Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included.

For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.

Path indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories will match as well.

For example, if Path=/docs is set, these paths will match:

/docs

/docs/Web/

/docs/Web/HTTP

SameSite cookies

SameSite cookies let servers require that a cookie shouldn't be sent with cross-site (where Site is defined by the registrable domain) requests, which provides some protection against cross-site request forgery attacks (CSRF).

SameSite cookies are relatively new and supported by all major browsers.

Here is an example:

Set-Cookie: key=value; SameSite=Strict

The SameSite attribute can have one of three values (case-insensitive):

None

The browser will send cookies with both cross-site requests and same-site requests.

Strict

The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.

Lax

Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.

JavaScript access using Document.cookie

New cookies can also be created via JavaScript using the Document.cookie property, and if the HttpOnly flag is not set, existing cookies can be accessed from JavaScript as well.

document.cookie="yummy_cookie=choco";

document.cookie="tasty_cookie=strawberry";

console.log(document.cookie);// logs "yummy_cookie=choco; tasty_cookie=strawberry"

Cookies created via JavaScript cannot include the HttpOnly flag. Cookies available to JavaScript can be stolen through XSS.

二级域名能不能访问一级域名下设置的cookie，如何设置?document.domain

Cookie支持跨域名访问，例如将domain属性设置为“.biaodianfu.com”，则以“.biaodianfu.com”为后缀的一切域名均能够访问该Cookie。跨域名Cookie如今被普遍用在网络中，例如Google、Baidu、Sina等。

cookie不是很安全， 别人可以分析存放在本地的cookie并进行cookie欺骗（CSRF），考虑到安全应当使用session。一般建议将登陆信息等重要信息存放为session,，其他信息如果需要保留可以放在cookie中。

cookie不加密

cookie可以被篡改 XSS

现有网站A使用域名a.example.com，网站B使用域名b.example.com，如果希望在2个网站之间共享Cookie（浏览器可以将Cookie发送给服务器），那么在设置的Cookie的时候，必须设置domain为example.com。因此要跨域共享cookie需要双边都设置

1.服务器端使用CROS协议解决跨域访问数据问题时，需要设置响应消息头Access-Control-Allow-Credentials值为true。

同时，还需要设置响应消息头Access-Control-Allow-Origin值为指定单一域名（不能为通配符“*”）。

2.客户端需要设置Ajax请求属性withCredentials=true，让Ajax请求都带上Cookie。