简体繁体 English

是否可以阻止在每个HTTP请求中发送cookie？

[英]Is it possible to prevent cookies to be sent in every HTTP request?

原文 2016-08-25 15:40:34 3 3 javascript/ node.js/ http/ cookies/ browser

I recently found (here: Does every web request send the browser cookies? ) that every HTTP request contains the cookies related to a domain every time a request is made to that same domain. 我最近发现（这里：每个Web请求是否发送浏览器cookie？）每次HTTP请求都包含每次向同一域发出请求时与域相关的cookie。

Given this, what happens when the request is not sent through a browser but from Node.js, for example? 鉴于此，例如，当请求不通过浏览器而是从Node.js发送时会发生什么？ Is it possible that no information is sent in the request? 是否可能在请求中未发送任何信息？ Is it also possible to prevent it to be sent in the browser requests? 是否也可以阻止它在浏览器请求中发送？

3 个解决方案

Browsers 浏览器

Is not possible to prevent browser to send cookies . 无法阻止浏览器发送cookie 。

This is why is generally it is recommended (Yahoo developer Best practice, see section Use Cookie-free Domains for Components) to serve static content like css, images, from a different domain that is cookie free. 这就是为什么通常建议（雅虎开发人员最佳实践，请参阅使用组件的无Cookie域）部分来提供来自不同cookie的不同域的静态内容，如css，images。

When the browser makes a request for a static image and sends cookies together with the request, the server doesn't have any use for those cookies . 当浏览器发出静态图像请求并将cookie与请求一起发送时， 服务器对这些cookie没有任何用处 。 So they only create network traffic for no good reason . 因此，他们只会毫无理由地创建网络流量 。 You should make sure static components are requested with cookie-free requests. 您应该确保使用无cookie请求请求静态组件。 Create a subdomain and host all your static components there. 创建一个子域并在那里托管所有静态组件。

Programmatically 编程

From any programming language , instead, you can choose if you like to send cookies or not. 相反， 您可以 从任何编程语言 中选择是否要发送cookie。

Cookie management is done by the programmer, because libraries are written to make single requests. Cookie管理由程序员完成，因为编写库是为了发出单个请求。

So if you make a first request that return cookies, you need to explicit read them, hold them locally somewhere, and eventually put them in a second request to the same server if you need. 因此，如果您发出第一个返回cookie的请求，则需要显式读取它们，将它们保存在本地某处，并最终在需要时将它们放入同一服务器的第二个请求中。

So from NodeJS if you don't explicitly add cookies in your requests the http call doesn't hold them. 因此，如果您没有在请求中明确添加cookie，那么从NodeJS中，http调用不会保留它们。

You Can Use Fetch with the credentials option set to omit see 您可以使用Fetch与credentials设置选项omit看

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

You can strip cookies with a proxy server. 您可以使用代理服务器剥离cookie。 For example our product WinGate will allow you to modify requests (and responses), and you could use this to clear the Cookie header in requests. 例如，我们的产品WinGate将允许您修改请求（和响应），您可以使用它来清除请求中的Cookie标头。

However, this will prevent a large number of websites from functioning properly, as cookies are used to transport session IDs so that the server can identify each connection / request your browser makes as being from the same "session". 但是，这将阻止大量网站正常运行，因为cookie用于传输会话ID，以便服务器可以识别您的浏览器所做的每个连接/请求来自同一个“会话”。 HTTP itself does not have any concept of session. HTTP本身没有任何会话概念。

Disclaimer: I work for Qbik who make WinGate. 免责声明：我为制作WinGate的Qbik工作。