Cookie properties and role in the httponly

Others 2019-11-02 18:42:22 views: null

1. What is HttpOnly?

If the cookie HttpOnly attribute is set, it will not be read by js script into the cookie information, which can effectively prevent XSS attacks to steal cookie content, thus increasing the security of the cookie, even so, do not place important information deposit cookie. XSS stands for Cross SiteScript, cross-site scripting attacks are common Web application vulnerabilities, XSS is a passive type and is used to attack the client, it is easy to overlook its dangers. The principle is that the attacker input (incoming) to the malicious site XSS vulnerability in the HTML code, when other users browse the site, this HTML code will be executed automatically, so as to achieve the purpose of the attack. For example, to steal user Cookie, destruction of the page structure, redirected to other websites.

Set of sample 2.HttpOnly


response.setHeader("Set-Cookie", "cookiename=httponlyTest;Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");
 例如:
//设置cookie

response.addHeader("Set-Cookie", "uid=112; Path=/; HttpOnly")


// set multiple cookie

response.addHeader("Set-Cookie", "uid=112; Path=/; HttpOnly");

response.addHeader("Set-Cookie", "timeout=30; Path=/test; HttpOnly");


// set the cookie https

response.addHeader("Set-Cookie", "uid=112; Path=/; Secure; HttpOnly");

The meaning of specific parameters again not elaborate, set up after js script is not read by the cookie, but you can read the following ways.

Cookie cookies[]=request.getCookies(); 

 

XSS attacks are cross-site scripting attack, attack the user's client, an attacker inside the web page html code to insert malicious, when a user browses the html page, html page inside the code is executed, using js script to get the user's cookie information, access to cookie information is uploaded to the attacker's server, an attacker access to information inside the cookie, ie attacks. For example: links received in the mailbox.

Test Method: user does not click on random links is not clear; cookie encryption (MD5 encryption, etc.), avoid storing critical information; use HttpOnly = true

 

 

Guess you like

Origin www.cnblogs.com/hpzyang/p/11783411.html
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com