Set-Cookie
Set-Cookie HTTP päist kasutatakse küpsiste saatmiseks serverist kasutajaagendile.
HTTP küpsis (veebi küpsis, brauseri küpsis) on väike andmefragment, mille server saadab kasutaja brauserile. Brauser võib selle andmefragma salvestada ja saata serverile iga järgneva päringu korral.
See võimaldab näiteks tuvastada, kas mitu päringut on tulnud samalt brauserilt (näiteks kasutaja autentimiseks). Küpsiseid saab kasutada igasuguse olekuinfo salvestamiseks, kuna HTTP-protokoll ise ei oska seda teha.
Küpsiseid kasutatakse sageli järgmistel eesmärkidel:
- Sessiooni haldamiseks (sisselogimine, virtuaalsed ostukorvid)
- Isikupärastamiseks (kasutaja eelistused)
- Jälgimiseks (kasutaja tegevuse jälgimine)
seansi küpsised
Lihtne küpsis, mille näide on toodud eespool, on sessiooniküpsis (session cookie) – sellised küpsised kustutatakse, kui klient (brauser) suletakse, see tähendab, et need eksisteerivad ainult praeguse sessiooni jooksul, kuna neile ei ole määratud atribuudid Expires ega Max-Age.
Siiski, kui brauseris on sisse lülitatud automaatse sessiooni taastamise funktsioon (mis on üsna tavaline), võib sessiooniküpsis jääda alles ka siis, kui brauseri sessioon lõpeb, nagu oleks brauser kunagi suletud ei oleks.
püsiv küpsised
Püsivad küpsised ei kustutata kliendi sulgemisel, vaid teatud kuupäeval (atribuut „Expires“) või teatud aja möödudes (atribuut „Max-Age“).
Ülesanne
Saada xh käsurearakendusega Twitteri veebiserverile päring ning vaata, millised küpsised Twitteri veebiserver tagasi annab.
Esimeseks cmd-l kirjutame iwr -useb https://raw.githubusercontent.com/ducaale/xh/master/install.ps1 | iex
Ja teiseks kontrolime küpsised .\xh exe -h https://www.facebook.com
PS C:\Users\opilane\source\repos\h5> .\xh.exe -h https://www.facebook.com
HTTP/2.0 200 OK
alt-svc: h3=":443"; ma=86400
cache-control: private, no-cache, no-store, must-revalidate
content-encoding: br
content-security-policy: default-src blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src *.facebook.com *.fbcdn.net 127.0.0.1:* 'nonce-lJC1PG1Q' blob: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.whatsapp.net *.fb.com *.oculuscdn.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;child-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net accounts.meta.com *.accounts.meta.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/;manifest-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;object-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
content-type: text/html; charset="utf-8"
cross-origin-opener-policy: unsafe-none
cross-origin-resource-policy: same-origin
date: Thu, 18 Sep 2025 05:56:50 GMT
document-policy: force-load-at-top
document-policy: include-js-call-stacks-in-crash-reports
expires: Sat, 01 Jan 2000 00:00:00 GMT
origin-agent-cluster: ?1
permissions-policy: accelerometer=(), attribution-reporting=(self), autoplay=(), bluetooth=(), browsing-topics=(self), camera=(self), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(self), clipboard-write=(self), compute-pressure=(), display-capture=(self), encrypted-media=(self), fullscreen=(self), gamepad=*, geolocation=(self), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(self), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(self), midi=(), otp-credentials=(), payment=(), picture-in-picture=(self), private-state-token-issuance=(), publickey-credentials-get=(self), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=(self);report-to="permissions_policy"
pragma: no-cache
report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown&brsid=7551304170123600631&cpp=C3&cv=1027268847&st=1758175010411"}]}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", default="https://www.facebook.com/ajax/browser_error_reports/?device_level=unknown&brsid=7551304170123600631&cpp=C3&cv=1027268847&st=1758175010411", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
strict-transport-security: max-age=15552000; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-fb-connection-quality: EXCELLENT; q=0.9, rtt=13, rtx=0, c=10, mss=1392, tbw=3588, tp=-1, tpl=-1, uplat=268, ullat=0
x-fb-debug: v8a/n1x3K25e83dByTpoGhML3umetdDYfFoqXxoDO+BagrwSz7hVZhU/YW+4QFB6TDxwIxS+L5b3/EBT3e1dpg==
x-frame-options: DENY
x-xss-protection: 0
Ja teiseks kontrolime küpsised .\xh exe -h https://www.youtube.com
PS C:\Users\opilane\source\repos\h5> .\xh.exe -h https://www.youtube.com
HTTP/2.0 200 OK
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-encoding: gzip
content-security-policy: require-trusted-types-for 'script';report-uri /cspreport
content-type: text/html; charset=utf-8
cross-origin-opener-policy: same-origin-allow-popups; report-to="youtube_main"
date: Thu, 18 Sep 2025 05:55:15 GMT
document-policy: include-js-call-stacks-in-crash-reports
expires: Mon, 01 Jan 1990 00:00:00 GMT
origin-trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=et for more info."
permissions-policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
pragma: no-cache
report-to: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
reporting-endpoints: default="/web-reports?context=eJwVy19IU2EcxnHfPSJ6ztw57_szLRVaw9DK6UwUbJkRaKKsJCzEFVvqFEs3N8_WAoOIoAyR7MJSo-jGJNPCizDMDIQEsQR1F5UaWRCC9OciE6HsdPG5-T480pfo6plzLGI-z_xbzSyt1Mv8ko89veRnp9MDzN4aYMWzrcyRqLGOEo2t92tsaExjfTNBtmYOMaclxO5EQqzpY5jdU6sM4eQqw1i1hPp6Cb96JPxclBD-LsG5T4YxS8Z8mYy1YzKePZQxNiJj6auMoNOIH24j8oJG-NaNWK2Ix3hPPObm45FZacLBDhMGnptQMWVCl-7bHxPyCxUMH1UQ8iiQQwp62xXk3FYQ-0BB0rSC9hUF42kqYt0qJN1cn4rmIRWLv1XYN1WcIY7gXg53HkenLv8Ax9UijrsnOZZcHI4GjrY2vemOdHIc6uaYeMRhHuRIGebYeslBCxypqxwrGxw3owRMcQLNOwRycwUyDguMlgi8122V6VulgMMp0OIS8PoFRLdAeEDgmm76scDyC4HJCYHCtwIpswL2OYFdEQHLB4HPSwLZnwQS1wW2bwjc-CtgiyKcMBAC0YSiGIIxjrAgE5QEglOXvY2wmUjoTyI4kgntuojOkUIY3Ek4ZSaQhVCcRijdTajTIYOQukf_ZBKmcgnv7ISKUsL9ckKvg6AdJ2zo3lQT0msImQ0EyUe49Z-fsKxzBwgJrQSX7kobofwy4dV1gjDGTo4Pv45RR0eedBks1ou-oBas8WRd8NRY6wM-r2b1eOustYFGrbH2bJNrv21_nq0gJz_LVuBqsf0DvkWzuA"
server: ESF
set-cookie: YSC=O-7nm4EKhCE; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none
set-cookie: __Secure-YEC=CgtuR3JzYzhVOUZDWSjDva7GBjInCgJFRRIhEh0SGwsMDg8QERITFBUWFxgZGhscHR4fICEiIyQlJiBj; Domain=.youtube.com; Expires=Sun, 18-Oct-2026 05:55:14 GMT; Path=/; Secure; HttpOnly; SameSite=lax
set-cookie: VISITOR_PRIVACY_METADATA=CgJFRRIhEh0SGwsMDg8QERITFBUWFxgZGhscHR4fICEiIyQlJiBj; Domain=.youtube.com; Expires=Sun, 18-Oct-2026 05:55:15 GMT; Path=/; Secure; HttpOnly; SameSite=none
set-cookie: VISITOR_INFO1_LIVE=; Domain=.youtube.com; Expires=Fri, 23-Dec-2022 05:55:15 GMT; Path=/; Secure; HttpOnly; SameSite=none
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
csrftoken=-8M5AS3U1gLWClFeRV2Pjh:
See on küpsise nimega csrftoken väärtus.
Seda kasutatakse kaitsmiseks saidiüleste päringute võltsimise (CSRF) rünnakute eest. Tavaliselt genereerib selliseid märke server ja neid kasutatakse selleks, et kontrollida, kas saidile saadetud päringud on tehtud päris kasutajate, mitte pahatahtlike kasutajate poolt.
expires=re, 16-okt-2026 09:39:28 GMT:
See on küpsise aegumiskuupäev.
Sel juhul aegub küpsis 16. oktoobril 2026, mis tähendab, et pärast seda kuupäeva kustutab brauser küpsise automaatselt, kui seda serveriga ei uuendata.
Max-Age=34560000:
See on küpsise eluiga sekundites.
Sellisel juhul elab küpsis 3 456 000 sekundit, mis võrdub 400 päevaga (umbes 13 kuud). See tähendab, et küpsist hoitakse brauseris aktiivselt 400 päeva alates selle loomisest.
Kokkuvõte
Ülesandes tuli saata HTTP-päring veebiserverile, kasutades käsurea tööriista curl.exe -I, ning vaadata, milliseid küpsiseid (cookies) server vastuseks saadab