HTTP and Working with the Web
So, our cookie will expire on 22nd of April, 2035. An expiry date is the amount of
time that the server would like the client to hold on to the cookie for. Once the
expiry date has passed, the client can throw the cookie away and the server will
send a new one with the next request. Of course, there's nothing to stop a client
from immediately throwing the cookie away, though on some sites this may break
functionality that depends on the cookie.
Let's discuss two common cookie flags:
print(cookies[0].get_nonstandard_attr('HttpOnly'))
None
Cookies that are stored on a client can be accessed in a number of ways:
- By the client as part of an HTTP request and response sequence
- By scripts running in the client, such as JavaScript
- By other processes running in the client, such as Flash
The HttpOnly flag indicates that the client should only allow access to a cookie
when the access is part of an HTTP request or response. The other methods should
be denied access. This will protect the client against Cross-site scripting attacks
(see Chapter 9, Applications for the Web, for more information on these). This is an
important security feature, and when the server sets it, our application should
behaves accordingly.
There is also a secure flag:
cookies[0].secure
True
If the value is true, the Secure flag indicates that the cookie should only ever be sent
over a secure connection, such as HTTPS. Again, we should honor this if the flag has
been set such that when our application send requests containing this cookie, it only
sends them to HTTPS URLs.
You may have spotted an inconsistency here. Our URL has requested a response
over HTTP, yet the server has sent us a cookie, which it's requesting to be sent only
over secure connections. Surely the site designers didn't overlook a security loophole
like that? Rest assured; they didn't. The response was actually sent over HTTPS. But,
how did that happen? Well, the answer lies with redirects.