http-only配置
Http-only
- Http-only 字段,就是加在 cookie 身上的一个“护身符”。浏览器存在这种机制,只要 cookie 中含有 Http-only 字段,那么任何 JavaScript 脚本都没有权限读取这条 cookie 的内容
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-NP1cZTjC-1572524056387)(en-resource://database/2815:1)]
- 利用方法
.NET2.0
<httpCookies httpOnlyCookies="true" …>
C#
HttpCookie myCookie = new HttpCookie("myCookie"); myCookie.HttpOnly = true; Response.AppendCookie(myCookie);
VB.NET
Dim myCookie As HttpCookie = new HttpCookie("myCookie") myCookie.HttpOnly = True Response.AppendCookie(myCookie)
PHP
- 5.2 版本以后
- 在 php.ini 中进行全局设置
session.cookie_httponly=1/TRUE
- 把 setcookie、setrawcookie 函数中的第七个传入的参数设置为 TRUE
setcookie('id',$$_POST['name'],time()+3600,null,null,null,TRUE);
setrawcookie('id',$$_POST['name'],time()+3600,null,null,null,TRUE);
- php 代码顶部设置
ini_set("session.cookie_httponly", 1);
- 5.2 版本以前
header("Set-Cookie: hidden=value; httpOnly");
浏览器控制台中
- http:
response.addHeader("Set-Cookie", "uid=112; Path=/; HttpOnly");
- https:
response.addHeader("Set-Cookie", "uid=112; Path=/; Secure; HttpOnly");