cookie 会在会话期间过期吗?

【问题标题】:do cookies expire during a session?cookie 会在会话期间过期吗?
【发布时间】:2014-10-05 01:22:35
【问题描述】:

如果我将 cookie 设置为今天晚上 7 点到期,并且我在下午 6.30 开始会话,则在该会话期间发出的请求但在晚上 7 点之后将包含 cookie,因为它在会话结束时被删除,或者浏览器已经将其删除?

【问题讨论】:

    标签: cookies setcookie


    【解决方案1】:

    是的,cookie 可以在会话期间过期,并且通常会这样做。 Cookie 在到期时到期,无论它是在会话中还是不在会话中。如果服务器希望 cookie 在会话中持续存在,它应该将 cookie 重置为会话 cookie,或者在未来进一步设置过期时间。

    浏览器不应向服务器发送任何已过期的 cookie。 RFC 2965(2000 年 10 月)对此进行了处理,其中指出:

    最大年龄=价值
    可选的。 Max-Age 属性的值为 delta-seconds,
    cookie 的生命周期,以秒为单位,十进制非负数
    整数。为了正确处理缓存的 cookie,客户端应该
    根据年龄计算计算cookie的年龄
    HTTP/1.1 规范 [RFC2616] 中的规则。 年龄到了
    大于 delta-seconds 秒,客户端应该丢弃
    cookie。     值为零表示应该丢弃 cookie
    马上。

    [强调添加]

    然后说:

    过期的 Cookies 应该被丢弃,因此 不会 转发到源服务器。

    [强调添加]

    此 RFC 于 2000 年 10 月至 2011 年 4 月期间生效,此时,RFC 2965(2000 年 10 月)被 RFC 6265(2011 年 4 月)取代。 RFC 6265 将删除过期 cookie 的要求从“应该”更改为“必须”。 RFC 6265 说:

    4.  Server Requirements
...
4.1.2.1.  The Expires Attribute

   The Expires attribute indicates the maximum lifetime of the cookie,
   represented as the date and time at which the cookie expires.  The
   user agent is not required to retain the cookie until the specified
   date has passed.  In fact, user agents often evict cookies due to
   memory pressure or privacy concerns.

4.1.2.2.  The Max-Age Attribute

   The Max-Age attribute indicates the maximum lifetime of the cookie,
   represented as the number of seconds until the cookie expires.  The
   user agent is not required to retain the cookie for the specified
   duration.  In fact, user agents often evict cookies due to memory
   pressure or privacy concerns.

      NOTE: Some existing user agents do not support the Max-Age
      attribute.  User agents that do not support the Max-Age attribute
      ignore the attribute.

   If a cookie has both the Max-Age and the Expires attribute, the Max-
   Age attribute has precedence and controls the expiration date of the
   cookie.  If a cookie has neither the Max-Age nor the Expires
   attribute, the user agent will retain the cookie until "the current
   session is over" (as defined by the user agent).
...
5.  User Agent Requirements
...
5.2.1.  The Expires Attribute

   If the attribute-name case-insensitively matches the string
   "Expires", the user agent MUST process the cookie-av as follows.

   Let the expiry-time be the result of parsing the attribute-value as
   cookie-date (see Section 5.1.1).

   If the attribute-value failed to parse as a cookie date, ignore the
   cookie-av.

   If the expiry-time is later than the last date the user agent can
   represent, the user agent MAY replace the expiry-time with the last
   representable date.
   If the expiry-time is earlier than the earliest date the user agent
   can represent, the user agent MAY replace the expiry-time with the
   earliest representable date.

   Append an attribute to the cookie-attribute-list with an attribute-
   name of Expires and an attribute-value of expiry-time.

5.2.2.  The Max-Age Attribute

   If the attribute-name case-insensitively matches the string "Max-
   Age", the user agent MUST process the cookie-av as follows.

   If the first character of the attribute-value is not a DIGIT or a "-"
   character, ignore the cookie-av.

   If the remainder of attribute-value contains a non-DIGIT character,
   ignore the cookie-av.

   Let delta-seconds be the attribute-value converted to an integer.

   If delta-seconds is less than or equal to zero (0), let expiry-time
   be the earliest representable date and time.  Otherwise, let the
   expiry-time be the current date and time plus delta-seconds seconds.

   Append an attribute to the cookie-attribute-list with an attribute-
   name of Max-Age and an attribute-value of expiry-time.
...
5.3.  Storage Model
...
   A cookie is "expired" if the cookie has an expiry date in the past.

   The user agent MUST evict all expired cookies from the cookie store
   if, at any time, an expired cookie exists in the cookie store.

   At any time, the user agent MAY "remove excess cookies" from the
   cookie store if the number of cookies sharing a domain field exceeds
   some implementation-defined upper bound (such as 50 cookies).

   At any time, the user agent MAY "remove excess cookies" from the
   cookie store if the cookie store exceeds some predetermined upper
   bound (such as 3000 cookies).

   When the user agent removes excess cookies from the cookie store, the
   user agent MUST evict cookies in the following priority order:

   1.  Expired cookies.

   2.  Cookies that share a domain field with more than a predetermined
       number of other cookies.

   3.  All cookies.

   If two cookies have the same removal priority, the user agent MUST
   evict the cookie with the earliest last-access date first.

   When "the current session is over" (as defined by the user agent),
   the user agent MUST remove from the cookie store all cookies with the
   persistent-flag set to false.

    【讨论】:

      猜你喜欢
      • 2020-10-18
      • 1970-01-01
      • 2013-06-13
      • 2011-04-21
      • 2016-11-08
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2013-12-26
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode