Cookies
HTTP is a stateless protocol, meaning that it retains no session state between transactions. Cookies, as specified by the HTTP 1.1 standard, let web clients and servers cooperate to build a stateful session from a sequence of HTTP transactions.
Each time a server sends a response to a client’s
request, the server may initiate or continue a session by sending one
or more Set-Cookie headers, whose contents are small data items
called cookies
. When a client sends another
request to the server, the client may continue a session by sending
Cookie headers with cookies previously received from that server or
other servers in the same domain. Each cookie is a pair of strings,
the name and value of the cookie, plus optional attributes. Attribute
max-age
is the maximum number of seconds the
cookie should be kept. The client should discard saved cookies after
their maximum age. If max-age
is missing, then the
client should discard the cookie when the user’s
interactive session ends.
Cookies have no intrinsic privacy nor authentication. Cookies travel in the clear on the Internet, and therefore are vulnerable to sniffing. A malicious client might return cookies different from cookies previously received. To use cookies for authentication or identification or to hold sensitive information, the server must encrypt and encode cookies sent to clients, and decode, decrypt, and verify cookies received back from clients.
Encryption, encoding, decoding, decryption, and verification may all ...
Get Python in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.