Cookie丢失问题分析和抓包数据记录 #3
Description
问题背景
根据产品需求需要实现用户账号自动登功能,实现方法是使用cookie记录用户的remember token,使得浏览器被关闭后根据用户设备里存储的remember token进行自动登陆。功能上线使用后发现,通过强制退出的方式关闭浏览器(微信,chrome,safari),有时候会出现cookie丢失的情况。
具体表现
- 用户打开浏览器登陆,可以看到响应头里有remember token的set-cookie指令,并且在随后的页面请求头里也能看到cookie里包括remember token。
- 强退浏览器后再打开浏览器,有时候会发现用户账号并没有自动登陆,通过数据抓包可以看到请求头里的cookie并没有remember token。
问题分析
由于上述具体表现的发生,因此怀疑浏览器强退的时候,有时候会没有把内存里的cookie写到设备的文件里,导致浏览器再打开后cookie的丢失。
后来通过查看chrome源码对于cookie存储的处理大体上能够验证我们的怀疑。具体细节没有研究,我的理解是是chrome浏览器基于webkit内核,所有的cookie操作都会先写到system cookie里,然后由各设备浏览器版本基于不同设备实现的cookie存储对象负责监听system cookie的change事件,把cookie写到cookie文件里,因为写cookie文件操作并不是实时的,而是通过异步事件,所以浏览器强退的时候可能就会造车内存中未同步到cookie文件里的数据丢失。具体cookie存储的技术细节,感兴趣的童鞋可以直接看代码 (https://cs.chromium.org/chromium/src/ios/net/cookies/cookie_store_ios.mm) 。
抓包数据记录
在cookie测试页面上 (http://www.html-kit.com/tools/cookietester) 出现cookie 丢失的情况下,相关请求头和响应头数据。
测试设备:iphone6s
系统版本:ios 10.3.3
浏览器:Safari 微信浏览器 chrome
测试页面加载(请求头里有一些是之前操作的cookie,大概是十个左右的cookie,用于模拟实际环境)
[18 Aug 2017, 3:28:06 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Upgrade-Insecure-Requests: 1
Cookie: TestCookie_Name=TestCookie_Value_022729; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Connection: keep-alive
设置cookie的请求头和响应头。TestCookie_Name=TestCookie_Value_022758
[18 Aug 2017, 3:28:19 PM]
POST /tools/cookietester/ HTTP/1.1 (请求头)
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: http://www.html-kit.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://www.html-kit.com/tools/cookietester/
Content-Length: 45
Cookie: TestCookie_Name=TestCookie_Value_022729; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
HTTP/1.1 302 Moved Temporarily (响应头)
Server: openresty/1.9.3.1
Date: Fri, 18 Aug 2017 07:28:20 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Set-Cookie: TestCookie_Name=TestCookie_Value_022758; Domain=www.html-kit.com; Expires=Sun, 20-Aug-2017 07:28:12 GMT; Path=/
Location: http://www.html-kit.com/tools/cookietester/
Vary: Accept-Encoding
Age: 0
Connection: keep-alive
设置cookie完成后加载页面
[18 Aug 2017, 3:28:20 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Origin: http://www.html-kit.com
Cookie: TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-cn
Referer: http://www.html-kit.com/tools/cookietester/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
设置cookie的请求头和响应头。TestCookie_Name_201708182812=TestCookie_Value_022812;
[18 Aug 2017, 3:28:32 PM]
POST /tools/cookietester/ HTTP/1.1(请求头)
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: http://www.html-kit.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://www.html-kit.com/tools/cookietester/
Content-Length: 58
Cookie: TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
HTTP/1.1 302 Moved Temporarily(响应头)
Server: openresty/1.9.3.1
Date: Fri, 18 Aug 2017 07:28:32 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Set-Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; Domain=www.html-kit.com; Expires=Sun, 20-Aug-2017 07:28:24 GMT; Path=/
Location: http://www.html-kit.com/tools/cookietester/
Vary: Accept-Encoding
Age: 0
Connection: keep-alive
设置cookie完成后加载页面
[18 Aug 2017, 3:28:32 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Origin: http://www.html-kit.com
Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-cn
Referer: http://www.html-kit.com/tools/cookietester/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
设置cookie的请求头和响应头。TestCookie_Name=TestCookie_Value_022824
[18 Aug 2017, 3:28:42 PM]
POST /tools/cookietester/ HTTP/1.1(请求头)
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: http://www.html-kit.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://www.html-kit.com/tools/cookietester/
Content-Length: 45
Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
HTTP/1.1 302 Moved Temporarily(响应头)
Server: openresty/1.9.3.1
Date: Fri, 18 Aug 2017 07:28:42 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Set-Cookie: TestCookie_Name=TestCookie_Value_022824; Domain=www.html-kit.com; Expires=Sun, 20-Aug-2017 07:28:34 GMT; Path=/
Location: http://www.html-kit.com/tools/cookietester/
Vary: Accept-Encoding
Age: 0
Connection: keep-alive
设置cookie完成后加载页面。
[18 Aug 2017, 3:28:43 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Origin: http://www.html-kit.com
Cookie: TestCookie_Name=TestCookie_Value_022824; TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Language: zh-cn
Referer: http://www.html-kit.com/tools/cookietester/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
浏览器关闭后重新打开,加载页面。
浏览器关闭前TestCookie_Name一共做了两次设置,第一次设置的值为TestCookie_Value_022758(旧值),第二次设置的值为TestCookie_Value_022824(新值)。
浏览器关闭后再打开并加载页面时,请求头里cookie的值是TestCookie_Name=TestCookie_Value_022758(旧值),而关闭之前加载页面时请求头里cookie的值是TestCookie_Name=TestCookie_Value_022824(新值)。
因此,ios上的浏览器强制退出的情况下,可能会造成cookie数据的丢失。
[18 Aug 2017, 3:28:53 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Upgrade-Insecure-Requests: 1
Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Connection: keep-alive