Cookie丢失问题分析和抓包数据记录

[kevin-isky]

问题背景

根据产品需求需要实现用户账号自动登功能，实现方法是使用cookie记录用户的remember token，使得浏览器被关闭后根据用户设备里存储的remember token进行自动登陆。功能上线使用后发现，通过强制退出的方式关闭浏览器（微信，chrome，safari），有时候会出现cookie丢失的情况。

具体表现

• 用户打开浏览器登陆，可以看到响应头里有remember token的set-cookie指令，并且在随后的页面请求头里也能看到cookie里包括remember token。
• 强退浏览器后再打开浏览器，有时候会发现用户账号并没有自动登陆，通过数据抓包可以看到请求头里的cookie并没有remember token。

问题分析

由于上述具体表现的发生，因此怀疑浏览器强退的时候，有时候会没有把内存里的cookie写到设备的文件里，导致浏览器再打开后cookie的丢失。

后来通过查看chrome源码对于cookie存储的处理大体上能够验证我们的怀疑。具体细节没有研究，我的理解是是chrome浏览器基于webkit内核，所有的cookie操作都会先写到system cookie里，然后由各设备浏览器版本基于不同设备实现的cookie存储对象负责监听system cookie的change事件，把cookie写到cookie文件里，因为写cookie文件操作并不是实时的，而是通过异步事件，所以浏览器强退的时候可能就会造车内存中未同步到cookie文件里的数据丢失。具体cookie存储的技术细节，感兴趣的童鞋可以直接看代码 (https://cs.chromium.org/chromium/src/ios/net/cookies/cookie_store_ios.mm) 。

抓包数据记录

在cookie测试页面上 (http://www.html-kit.com/tools/cookietester) 出现cookie 丢失的情况下，相关请求头和响应头数据。

测试设备：iphone6s
系统版本：ios 10.3.3
浏览器：Safari 微信浏览器 chrome

测试页面加载（请求头里有一些是之前操作的cookie，大概是十个左右的cookie，用于模拟实际环境）

[18 Aug 2017, 3:28:06 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Upgrade-Insecure-Requests: 1
Cookie: TestCookie_Name=TestCookie_Value_022729; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Connection: keep-alive

设置cookie的请求头和响应头。TestCookie_Name=TestCookie_Value_022758

[18 Aug 2017, 3:28:19 PM]
POST /tools/cookietester/ HTTP/1.1 （请求头）
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: http://www.html-kit.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://www.html-kit.com/tools/cookietester/
Content-Length: 45
Cookie: TestCookie_Name=TestCookie_Value_022729; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954

HTTP/1.1 302 Moved Temporarily （响应头）
Server: openresty/1.9.3.1
Date: Fri, 18 Aug 2017 07:28:20 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Set-Cookie: TestCookie_Name=TestCookie_Value_022758; Domain=www.html-kit.com; Expires=Sun, 20-Aug-2017 07:28:12 GMT; Path=/
Location: http://www.html-kit.com/tools/cookietester/
Vary: Accept-Encoding
Age: 0
Connection: keep-alive

设置cookie完成后加载页面

[18 Aug 2017, 3:28:20 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Origin: http://www.html-kit.com
Cookie: TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-cn
Referer: http://www.html-kit.com/tools/cookietester/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN

设置cookie的请求头和响应头。TestCookie_Name_201708182812=TestCookie_Value_022812;

[18 Aug 2017, 3:28:32 PM]
POST /tools/cookietester/ HTTP/1.1（请求头）
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: http://www.html-kit.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://www.html-kit.com/tools/cookietester/
Content-Length: 58
Cookie: TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954

HTTP/1.1 302 Moved Temporarily（响应头）
Server: openresty/1.9.3.1
Date: Fri, 18 Aug 2017 07:28:32 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Set-Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; Domain=www.html-kit.com; Expires=Sun, 20-Aug-2017 07:28:24 GMT; Path=/
Location: http://www.html-kit.com/tools/cookietester/
Vary: Accept-Encoding
Age: 0
Connection: keep-alive

设置cookie完成后加载页面

[18 Aug 2017, 3:28:32 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Origin: http://www.html-kit.com
Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-cn
Referer: http://www.html-kit.com/tools/cookietester/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN

设置cookie的请求头和响应头。TestCookie_Name=TestCookie_Value_022824

[18 Aug 2017, 3:28:42 PM]
POST /tools/cookietester/ HTTP/1.1（请求头）
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: http://www.html-kit.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://www.html-kit.com/tools/cookietester/
Content-Length: 45
Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954

HTTP/1.1 302 Moved Temporarily（响应头）
Server: openresty/1.9.3.1
Date: Fri, 18 Aug 2017 07:28:42 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Set-Cookie: TestCookie_Name=TestCookie_Value_022824; Domain=www.html-kit.com; Expires=Sun, 20-Aug-2017 07:28:34 GMT; Path=/
Location: http://www.html-kit.com/tools/cookietester/
Vary: Accept-Encoding
Age: 0
Connection: keep-alive

设置cookie完成后加载页面。

[18 Aug 2017, 3:28:43 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Origin: http://www.html-kit.com
Cookie: TestCookie_Name=TestCookie_Value_022824; TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Language: zh-cn
Referer: http://www.html-kit.com/tools/cookietester/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN

浏览器关闭后重新打开，加载页面。

浏览器关闭前TestCookie_Name一共做了两次设置，第一次设置的值为TestCookie_Value_022758（旧值），第二次设置的值为TestCookie_Value_022824（新值）。
浏览器关闭后再打开并加载页面时，请求头里cookie的值是TestCookie_Name=TestCookie_Value_022758（旧值），而关闭之前加载页面时请求头里cookie的值是TestCookie_Name=TestCookie_Value_022824（新值）。
因此，ios上的浏览器强制退出的情况下，可能会造成cookie数据的丢失。
[18 Aug 2017, 3:28:53 PM]
GET /tools/cookietester/ HTTP/1.1
Host: www.html-kit.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Upgrade-Insecure-Requests: 1
Cookie: TestCookie_Name_201708182812=TestCookie_Value_022812; TestCookie_Name=TestCookie_Value_022758; TestCookie_Name_201708181803=TestCookie_Value_011803; TestCookie_Name_201708181743=TestCookie_Value_011743; TestCookie_Name_201708181128=TestCookie_Value_011128; TestCookie_Name_201708181123=TestCookie_Value_011123; TestCookie_Name_201708181115=TestCookie_Value_011115; TestCookie_Name_201708181041=TestCookie_Value_011041; TestCookie_Name_201708181037=TestCookie_Value_011037; TestCookie_Name_201708181032=TestCookie_Value_011032; TestCookie_Name_201708180954=TestCookie_Value_010954
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/6.5.12 NetType/WIFI Language/zh_CN
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Connection: keep-alive