Does the browser set a cookie after it receives the header or after it receives the body? This is relevant when sending a large file in the body of the request.
I would think a browser would set the cookie as it is processing the response headers, since the cookie information is in there. It doesn't make much sense to receive the headers, then set the cookies after it processes the html.
Related
I have a question regarding the response to a HTTP request.
My question is
The representations present in responses to GET requests on the same URI should always have the same format, and why.
I thought that the server might change the content associated to that URI, or that the client making the request might change the accept header in the request, but I'm not sure.
The format may changed based on Content-Encoding, Content-Disposition, and a lot of other things. Compression for example may be used (but that's not the final format, just the transport format). The page may contain dynamic content, based on your current user session (so based on your cookies, for example).
The server response would usually contain a Vary header which clearly states, for your browser, the request headers that may influence the content of the page.
For example you may have a Vary: cookie which means that if the browser requested this page without a cookie, and that later you have a cookie for this website, then the page content should not be loaded from the browser cache and a new request should be made.
So your first sentence is wrong, or too simple. Request headers and Response headers can contain informations on validity of the message, how to store it, when to ask for changes, or what headers may alter the message content.
We can change the Origin header in AJAX request or using the Chrome's plugin 'Modify Headers'.
Therefore we can access data from the another host.
So is it reliable approach to handle CORS ?
HTTP_ORIGIN is neither sent by all browsers nor is it secure.
Nothing sent by the browser can ever be considered safe.
HTTP is a plain-text protocol. The ENTIRE request header/body structure can be faked to say anything you want.
I'm trying to send a request with a session cookie, but when the request is sent the value for that cookie changes.
Here is how the cookie looks:
Here is how it looks after the request has been sent:
What is happening ?
Sorry for the late answer to this question. The only reason I see for the cookie to change is if the server sends back a Set-Cookie header in the response.
Paw will behave like web browsers by sending by default a Cookie header with the cookies stored for this domain, and will store new cookies when the server sends back a Set-Cookie header.
You can see all cookies stored in Paw by going to the left panel > Sessions > Manage:
Also, please note that you have the ability to disable cookie sending and/or cookie saving for each request in the Request > Options tab:
When you set a cookie, you set the raw cookie data, and some metadata. This metadata includes the path for where the cookie is valid, the expiration time of the cookie, and so on.
When a browser performs a request, what exactly will the browsers send with it? Will it send the full cookie, with all the "metadata"? Or only the actual data of the cookie, without the metadata?
No only the value of the cookie is returned in subsequent requests, the other metadata stays on the client.
When you define a cookie on the server a Set-Cookie header is created in the response carrying the name, value and other metadata about the cookie. Multiple Cookies will create multiple Set-Cookie headers in the response.
When the browser makes subsequent requests it checks its "database" of available cookies to see which cookies are appropriate for the path being requested. It then creates a single Cookie header in the request that carries just a series of name/value pairs of the qualifying cookies.
Its important to keep tight control on the number of cookies and the size of the data otherwise you may find that the weight of cookie data being sent for each and every request can be deterimental to performance. This would be much worse if the metadata were returned with the cookies as well.
The server sets the cookie with the "Set-Cookie" header. This contains the metadata (path and expiry), if specified. The client (browser) only sends the cookie itself in a "Cookie" header.
Firebug is a useful tool for Firefox to view all these headers. Similar tools should be available for other browsers.
only the cookie data is sent to server,other metadata is for the browser to perform some actions like cookie expiration
the user-agent will re-transmit the path, domain, and port attributes if the cookie was set under RFC2965 (via the Set-Cookie2 header) and if the attribute was specified by the server. a sample request might contain:
Cookie: $Version="1";
name="val"; $Path="/site"; $Domain=".example.com"; $Port="81";
name="val"; $Path="/site/dir"; $Domain=".example.com"; $Port="81"
if the cookie was specified using the original netscape Set-Cookie header, no attributes will be re-transmitted. if multiple cookies with the same name (but different paths) are valid for the request, all matching cookies will be supplied. an example request:
Cookie: name=val; name=val2
the full spec is here:
https://www.rfc-editor.org/rfc/rfc2965
the original netscape spec is here:
http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html
In AS2, I need to get a URL. In the header of the HTTP response, a cookie is set. Is it possible to read the header of the HTTP response and get the cookie's data?
This is a bit tricky. What you might have to do, is use a serverside script to get the HTTP request header, then call that script from flash.