Cookies Overview and HTTP ProxiesWhat is a Cookie?Why use Cookies?Example Cookie UseTracking Unique VisitorsCookie NotesCookie StandardsCookie AnatomyCookie Parts: Name/ValueCookie Parts: DomainCookie Parts: DomainCookie Parts: PathCookie Parts: ExpiresCookie Parts: SecureUser-server interaction: cookiesCookie exampleWeb Caches (proxy server)More about Web cachingNote: Meta tags and http-equivReferencesCookies Overview and HTTP ProxiesWhat is a Cookie? Small piece of data generated by a web server, stored on the client’s hard drive. Serves as an add-on to the HTTP specification (remember, HTTP by itself is stateless.) Still somewhat controversial, as it enables web sites to track web users and their habits…Why use Cookies? Tracking unique visitors Creating personalized web sites Shopping Carts Tracking users across your site: e.g. do users that visit your sports news page also visit your sports store?Example Cookie Use Website wants to track the number of unique visitors who access its site. If the website checks the HTTP Server logs, it can determine the number of “hits”, but cannot determine the number of unique visitors. That’s because HTTP is stateless. It retains no memory regarding individual users. Cookies provide a mechanism to solve this problem.Tracking Unique Visitors Step 1: Person A requests the website. Step 2: Web Server generates a new unique ID. Step 3: Server returns home page plus a cookie set to the unique ID. Step 4: Each time Person A returns to the website, the browser automatically sends the cookie along with the GET request.Cookie Notes Created in 1994 for Netscape 1.1 Cookies cannot be larger than 4K No domain (e.g. netscape.com, microsoft.com) can have more than 20 cookies. Cookies stay on your machine until: they automatically expire they are explicitly deleted Cookies work the same on all browsers.Cookie Standards Version 0 (Netscape): The original cookie specification Implemented by all browsers and servers We will focus on this Version Version 1 A proposed standard of the Internet Engineering Task Force (IETF) Not very widely used (hence, we will stick to Version 0.)Cookie Anatomy Version 0 specifies six cookie parts: Name Value Domain Path Expires SecureCookie Parts: Name/Value Name Name of your cookie (Required) Cannot contain white spaces, semicolons or commas. Value Value of your cookie (Required) Cannot contain white spaces, semicolons or commas.Cookie Parts: Domain Only pages from the domain which created a cookie are allowed toread the cookie. For example, amazon.com cannot read yahoo.com’s cookies (imagine the security flaws if this were otherwise!) By default, the domain is set to the full domain of the web server that served the web page. For example, myserver.mydomain.com would automatically set the domain to .myserver.mydomain.comCookie Parts: Domain Note that domains are always prepended with a dot. This is a security precaution: all domains must have at least two periods. You can however, set a higher level domain For example, myserver.mydomain.com can set the domain to .mydomain.com. This way hisserver.mydomain.com and herserver.mydomain.com can all access the same cookies. No matter what, you cannot set a domain other than your own.Cookie Parts: Path Restricts cookie usage within the site. By default, the path is set to the path of the page that created the cookie. Example: user requests page from mymall.com/storea. By default, cookie will only be returned to pages for or under /storea. If you specify the path to / the cookie will be returned to all pages (a common practice.)Cookie Parts: Expires Specifies when the cookie will expire. Specified in Greenwich Mean Time (GMT): Wdy DD-Mon-YYYY HH:MM:SS GMT If you leave this value blank, browser will delete the cookie when the user exits the browser. This is known as a session cookies, as opposed to a persistent cookie.Cookie Parts: Secure The secure flag is designed to encrypt cookies while in transit. A secure cookie will only be sent over a secure connection (such as SSL.) In other words, if a cookie is set to secure, and you only connect via a non-secure connection, the cookie will notbe sent.User-server interaction: cookiesserverclient server sends “cookie” to client in response msgSet-cookie: 1678453 client stores & presents cookie in later requestscookie: 1678453 server matches presented-cookie with server-stored info authentication remembering user preferences, previous choicesusual http request msgusual http response +Set-cookie: #usual http request msgcookie: #usual http response msgcookie-spectificactionusual http request msgcookie: #usual http response msgcookie-spectificactionCookie exampletelnet www.google.com 80Trying 216.239.33.99...Connected to www.google.com.Escape character is '^]'.GET /index.html HTTP/1.0HTTP/1.0 200 OKDate: Wed, 10 Sep 2003 08:58:55 GMTSet-Cookie: PREF=ID=43bd8b0f34818b58:TM=1063184203:LM=1063184203:S=DDqPgTb56Za88O2y; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com..Web Caches (proxy server)Goal: satisfy client request without involving origin serverorigin server user sets browser: Web accesses via web cache client sends all http requests to web cache if object at web cache, web cache immediately returns object in http response else requests object from origin server, then returns http response to clientclientProxyserverclienthttp requesthttp requesthttp responsehttp responsehttp requesthttp responsehttp requesthttp responseorigin serverMore about Web caching Cache acts as both client and server Cache can do up-to-date check using If-modified-sinceHTTP header Issue: should cache take risk and deliver cached object without checking? Heuristics are used. Typically cache is installed by ISP (university, company, residential ISP)Why Web caching? Reduce response time for client request. Reduce traffic on an institution’s access link. Internet dense with caches enables “poor” content providers to effectively deliver contentNote: Meta tags and http-equiv HTTP servers use the property name specified by the http-equiv attribute to create an [RFC822]-style header in the HTTP response. The following sample META declaration:<META http-equiv="Expires"
View Full Document