HttpOnly cookie
設定cookie時可以指定為 HttpOnly Cookie, 這個 cookie 無法被 javascript 讀出來 (ex: document.cookie)
The Will Will Web | 設定 Cookie 時可善用 HttpOnly 特性減低網站安全風險(XSS)
Cookie hijacking 是個很常見的 XSS 攻擊手法,大多是利用網站既有的 XSS 漏洞並透過 JavaScript 取得 documnet.cookie 資料,而 documnet.cookie 就包含所有你在該網頁所有可用的 Cookie 資料,但若你的網站程式在設定 Cookie 的時候有特別加上 HttpOnly 屬性,就可以進一步避免該頁的 Cookie 被 JavaScript 存取,也可保護使用者的 Cookie 不會偷走。
[Security] HTTP-only cookies
Vidar wrote an interesting article pointing me to HTTPOnly-cookies. Microsoft created this extension to the cookie standard, to allow servers to issue cookies with a special HttpOnly-flag. This flag makes the cookie inaccessible to javascript in supported browsers (currently only newer versions of IE supports this feature fully).
The set-cookie header looks like this:
Set-Cookie: USER=123; expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly
HttpOnly - OWASP
沒有留言:
張貼留言