有关cookie的httponly属性相关
2014-09-11 11:22
387 查看
先记录下相关网上的链接,有时间自己再总结一份自己的理解
http://en.wikipedia.org/wiki/HTTP_cookie
http://www.cnblogs.com/downmoon/archive/2008/09/11/1289298.html
http://msdn.microsoft.com/zh-cn/library/system.web.httpcookie.httponly.aspx
http://msdn.microsoft.com/zh-cn/library/ms533046(vs.85).aspx
http://www.storyday.com/html/y2008/2120_javascript-and-httponly-cookies.html
对于很多只依赖于cookie验证的网站来说,HttpOnly cookies是一个很好的解决方案,在支持HttpOnly cookies的浏览器中(IE6以上,FF3.0以上),javascript是无法读取和修改HttpOnly cookies,或许这样可让网站用户验证更加安全。
wikipedia中对于httpOnly的描述如下:
`HttpOnly’:
Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly
When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.[21] The `HttpOnly` flag is not part of any standard, and is not implemented in all browsers. Note
that there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest.[36]
所以,若是网站基于cookie而非服务器端的验证,请最好加上HttpOnly,当然,目前这个属性还不属于任何一个标准,也不是所有的浏览器支持,另外知名的wordpress程序也已经更改了cookie的属性为httpOnly。
javascript无法读取HttpOnly cookies,若想在js中获取cookie的属性该如何处理呢?
cosbeta也没有什么比较好的办法,所以只有告诉大家都绝招:还得动用服务器端脚本读出cookie,然后用输出js代码,或者用ajax去获取服务器端程序读出的cookie值。
于是cos-html-cache因此升级了。
----------------------------------------------------
https://www.owasp.org/index.php/HTTPOnly
这个链接介绍的很详细:摘抄如下
The goal of this section is to introduce, discuss, and provide language specific mitigation techniques for HttpOnly.
According to a daily blog article by Jordan Wiens, “No cookie for you!,” HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1. Wiens, [1]
According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response
header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
The example below shows the syntax used within the HTTP response header:
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and
a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes
vulnerable to theft of modification by malicious script. Mitigating, [2]
According to Michael Howard, Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majority
of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious
(usually XSS) code from sending the data to an attacker's website. Howard, [3]
Using Java to Set HttpOnly
Sun Java EE supports HttpOnly flag in Cookie interface since version 6 (Servlet class version 3)[4],
also for session cookies (JSESSIONID)[5]. Methods setHttpOnly and isHttpOnly can
be used to set and check for HttpOnly value in cookies.
For older versions there the workaround is to rewrite JSESSIONID value using and setting it as a custom header[6].
In Tomcat 6 flag useHttpOnly=True in context.xml to force this behaviour for applications[7],
including Tomcat-based frameworks like JBoss[8].
Servlet 3.0 (Java EE 6) introduced a standard way to configure HttpOnly attribute for the session cookie, this can be done by applying the following configuration in web.xml
目前发现tomcat6的该属性缺省是false,在context.xml里配置,weblogic10.3.1,10.3.2不支持该属性的配置,只能编码写,weblogic10.3.3,
10.3.4,10.3.5支持在weblogic.xml里配置该属性,切缺省值为true
J***AEE从6.0支持专门的setHttpOnly和isHttpOnly方法,即servlet3.0规范中添加了这两个方法得API,在此以前的版本只能用response.setHeader("SET-COOKIE,...")的方式来支持,另外还需要看浏览器对httpOnly的支持,IE从6开始支持,其它版本在上面引入的链接里写的很清楚。
原文:http://coffeesweet.iteye.com/blog/1271822
http://en.wikipedia.org/wiki/HTTP_cookie
http://www.cnblogs.com/downmoon/archive/2008/09/11/1289298.html
http://msdn.microsoft.com/zh-cn/library/system.web.httpcookie.httponly.aspx
http://msdn.microsoft.com/zh-cn/library/ms533046(vs.85).aspx
http://www.storyday.com/html/y2008/2120_javascript-and-httponly-cookies.html
对于很多只依赖于cookie验证的网站来说,HttpOnly cookies是一个很好的解决方案,在支持HttpOnly cookies的浏览器中(IE6以上,FF3.0以上),javascript是无法读取和修改HttpOnly cookies,或许这样可让网站用户验证更加安全。
wikipedia中对于httpOnly的描述如下:
`HttpOnly’:
Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly
When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.[21] The `HttpOnly` flag is not part of any standard, and is not implemented in all browsers. Note
that there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest.[36]
所以,若是网站基于cookie而非服务器端的验证,请最好加上HttpOnly,当然,目前这个属性还不属于任何一个标准,也不是所有的浏览器支持,另外知名的wordpress程序也已经更改了cookie的属性为httpOnly。
javascript无法读取HttpOnly cookies,若想在js中获取cookie的属性该如何处理呢?
cosbeta也没有什么比较好的办法,所以只有告诉大家都绝招:还得动用服务器端脚本读出cookie,然后用输出js代码,或者用ajax去获取服务器端程序读出的cookie值。
于是cos-html-cache因此升级了。
----------------------------------------------------
https://www.owasp.org/index.php/HTTPOnly
这个链接介绍的很详细:摘抄如下
The goal of this section is to introduce, discuss, and provide language specific mitigation techniques for HttpOnly.
Who developed HttpOnly? When?
According to a daily blog article by Jordan Wiens, “No cookie for you!,” HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1. Wiens, [1]
What is HttpOnly?
According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP responseheader. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
The example below shows the syntax used within the HTTP response header:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and
a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes
vulnerable to theft of modification by malicious script. Mitigating, [2]
Mitigating the Most Common XSS attack using HttpOnly
According to Michael Howard, Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majorityof XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious
(usually XSS) code from sending the data to an attacker's website. Howard, [3]
Using Java to Set HttpOnly
Sun Java EE supports HttpOnly flag in Cookie interface since version 6 (Servlet class version 3)[4],
also for session cookies (JSESSIONID)[5]. Methods setHttpOnly and isHttpOnly can
be used to set and check for HttpOnly value in cookies.
For older versions there the workaround is to rewrite JSESSIONID value using and setting it as a custom header[6].
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");In Tomcat 6 flag useHttpOnly=True in context.xml to force this behaviour for applications[7],
including Tomcat-based frameworks like JBoss[8].
Servlet 3.0 (Java EE 6) introduced a standard way to configure HttpOnly attribute for the session cookie, this can be done by applying the following configuration in web.xml
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config>
目前发现tomcat6的该属性缺省是false,在context.xml里配置,weblogic10.3.1,10.3.2不支持该属性的配置,只能编码写,weblogic10.3.3,
10.3.4,10.3.5支持在weblogic.xml里配置该属性,切缺省值为true
J***AEE从6.0支持专门的setHttpOnly和isHttpOnly方法,即servlet3.0规范中添加了这两个方法得API,在此以前的版本只能用response.setHeader("SET-COOKIE,...")的方式来支持,另外还需要看浏览器对httpOnly的支持,IE从6开始支持,其它版本在上面引入的链接里写的很清楚。
原文:http://coffeesweet.iteye.com/blog/1271822
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- PHP设置COOKIE的HttpOnly属性
- cookie工具类,解决servlet3.0以前不能添加httpOnly属性的问题
- 增多 cookie 安全性添加HttpOnly和secure属性
- cookie的httponly属性
- Tomcat为Cookie设置HttpOnly属性
- HttpCookie.HttpOnly 属性
- 去除asp.net 2.0的会话cookie ASP.NET_SessionId 的httponly属性
- 增加 cookie 安全性添加HttpOnly和secure属性
- Cookie设置HttpOnly,Secure,Expire属性
- 检测到会话cookie中缺少HttpOnly属性
- Cookie设置HttpOnly,Secure,Expire属性
- Cookie的httponly属性设置方法
- PHP设置Cookie的HTTPONLY属性
- Cookie设置HttpOnly,Secure,Expire属性
- 浅谈HTTP Cookie 的 Secure 和 HTTPONLY属性
- 关于cookie的httponly属性
- cookie的secure、httponly属性设置
- 关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)
- PHP设置Cookie的HTTPONLY属性
- Cookie设置HttpOnly,Secure,Expire属性