首先产生了 cookie 这门技术来解决这个问题，cookie 是 http 协议的一部分，它的处理分为如下几步：
- 服务器向客户端发送 cookie。
- 通常使用 HTTP 协议规定的 set-cookie 头操作。
- 规范规定 cookie 的格式为 name = value 格式，且必须包含这部分。
- 浏览器将 cookie 保存。
- 每次请求浏览器都会将 cookie 发向服务器。
其他可选的 cookie 参数会影响将 cookie 发送给服务器端的过程，主要有以下几种：
- domain: 表示 cookie 影响的域名。子域名可读取上一级或顶级域名的cookie。
- path：表示 cookie 影响到的路径，匹配该路径才发送这个 cookie。
- expires 和 maxAge：告诉浏览器这个 cookie 什么时候过期，expires 是 UTC 格式时间，maxAge 是 cookie 多久后过期的相对时间。当不设置这两个选项时，会产生 session cookie，session cookie 是 transient 的，当用户关闭浏览器时，就被清除。一般用来保存 session 的 session_id。
- secure：当 secure 值为 true 时，cookie 在 HTTP 中是无效，在 HTTPS 中才有效。
- httpOnly：浏览器不允许脚本操作 document.cookie 去获取 cookie。一般情况下都应该设置这个为 true，这样可以避免被 xss 攻击拿到 cookie。
Cookie的 SameSite 属性
same-site cookie attribute can be used to disable third-party usage for a specific cookie. It is set by the server when setting the cookie, and requests the browser to only send the cookie in a first-party context, i.e. when you are using the web application directly. When another site tries to request something from the web application, the cookie is not sent. This effectively makes
CSRF impossible, because an attacker can not use a user’s session from his site anymore.
The server can set a same-site cookie by adding the SameSite=… attribute to the Set-Cookie header:
Set-Cookie: key=value; HttpOnly; SameSite=strict There are two possible values for the
strict mode, the cookie is withheld with any cross-site usage. Even when the user follows a link to another website the cookie is not sent.
lax mode, some cross-site usage is allowed. Specifically if the request is a
GET request and the request is top-level.
Top-level means that the URL in the address bar changes because of this navigation. This is not the case for
iframes, images or XMLHttpRequests.
This table shows what cookies are sent with cross-origin requests. As you can see cookies without a
same-site attribute (indicated by ‘normal’) are always sent.
Strict cookies are never sent.
Lax cookies are only send with a
top-level get request.
Do Not Track (
DNT请勿跟踪) is an HTTP header field that requests that a web application or web site to disable its direct or cross-site user tracking of an individual user. The header field name is DNT and it currently accepts three values:
- 1, when the user does not want to be tracked (
- 0, when the user consents to being tracked (
- Null (no header sent), when the user has not expressed a preference
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR 的意思是啥。 Fiddler可以方便的知道，在Fiddler 中我们可以看到如下信息：