1.什么是HttpOnly?

如果您在cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,具体一点的介绍请google进行搜索

2.javaEE的API是否支持?

目前sun公司还没有公布相关的API,但PHP、C#均有实现。搞javaEE的兄弟们比较郁闷了,别急下文有变通实现

3.HttpOnly的设置样例

javaEE

1
2
response.setHeader("Set-Cookie", "cookiename=value;
Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");

具体参数的含义再次不做阐述,设置完毕后通过js脚本是读不到该cookie的,但使用如下方式可以读取

1
Cookie cookies[]=request.getCookies();

C#

1
2
3
HttpCookie myCookie = new HttpCookie("myCookie");  
myCookie.HttpOnly = true;  
Response.AppendCookie(myCookie);

VB.NET

1
2
3
Dim myCookie As HttpCookie = new HttpCookie("myCookie")  
myCookie.HttpOnly = True  
Response.AppendCookie(myCookie)

但是在 .NET 1.1 ,中您需要手动添加

1
Response.Cookies[cookie].Path += ";HTTPOnly";

PHP4

1
header("Set-Cookie: hidden=value; httpOnly");

PHP5

1
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);

最后一个参数为HttpOnly属性

----------------------------------------------------------------------------------

webBrowser

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices; namespace WindowsFormsApplication1
{
/// <summary>
/// WinInet.dll wrapper
/// </summary>
internal static class CookieReader
{ private const int INTERNET_COOKIE_HTTPONLY = 0x00002000; [DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetGetCookieEx(
string url,
string cookieName,
StringBuilder cookieData,
ref int size,
int flags,
IntPtr pReserved);
public static string GetCookie(string url)
{
int size = 512;
StringBuilder sb = new StringBuilder(size);
if (!InternetGetCookieEx(url, null, sb, ref size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero))
{
if (size < 0)
{
return null;
}
sb = new StringBuilder(size);
if (!InternetGetCookieEx(url, null, sb, ref size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero))
{
return null;
}
}
return sb.ToString();
}
}
}

  

********************************************************************************************************************************************************

using System;
using System.ComponentModel;
using System.Net;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Text; namespace CookieHandler
{
    internal sealed class INativeMethods
    {
        #region enums         public enum ErrorFlags
        {
            ERROR_INSUFFICIENT_BUFFER = 122,
            ERROR_INVALID_PARAMETER = 87,
            ERROR_NO_MORE_ITEMS = 259
        }         public enum InternetFlags
        {
            INTERNET_COOKIE_HTTPONLY = 8192, //Requires IE 8 or higher     
            INTERNET_COOKIE_THIRD_PARTY = 131072,
            INTERNET_FLAG_RESTRICTED_ZONE = 16
        }         #endregion         #region DLL Imports         [SuppressUnmanagedCodeSecurity, SecurityCritical, DllImport("wininet.dll", EntryPoint = "InternetGetCookieExW", CharSet = CharSet.Unicode, SetLastError = true, ExactSpelling = true)]
        internal static extern bool InternetGetCookieEx([In] string Url, [In] string cookieName, [Out] StringBuilder cookieData, [In, Out] ref uint pchCookieData, uint flags, IntPtr reserved);         #endregion
    }
}

  

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Net;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Text; namespace CookieHandler
{
    /// <SUMMARY></SUMMARY>
    /// 取得WebBrowser的完整Cookie。
    /// 因为默认的webBrowser1.Document.Cookie取不到HttpOnly的Cookie
    /// IE7不兼容,IE8可以,其它未知
    ///
    public class FullWebBrowserCookie
    {
        public static Dictionary<string, string> GetCookieList(Uri uri, bool throwIfNoCookie)
        {
            Dictionary<string, string> dict = new Dictionary<string, string>();
            string cookie = GetCookieInternal(uri, throwIfNoCookie);
            Console.WriteLine("FullWebBrowserCookie - 所有cookie:" + cookie);
            string[] arrCookie = cookie.Split(';');
            foreach (var item in arrCookie)
            {
                string[] arr = item.Split('=');
                string key = arr[0].Trim();
                string val = "";
                if (arr.Length >= 2)
                {
                    val = arr[1].Trim();
                }                 if (!dict.ContainsKey(key))
                {
                    dict.Add(key, val);
                }
            }
            Console.WriteLine("FullWebBrowserCookie - cookie已载入dict,共" + dict.Count.ToString() + "项");             return dict;
        }         public static string GetCookieValue(string key, Uri uri, bool throwIfNoCookie)
        {
            Console.WriteLine("GetCookieValue");
            Dictionary<string, string> dict = GetCookieList(uri, throwIfNoCookie);             if (dict.ContainsKey(key))
            {
                return dict[key];
            }
            return "";
        }         [SecurityCritical]
        public static string GetCookieInternal(Uri uri, bool throwIfNoCookie)
        {
            Console.WriteLine("GetCookieInternal");             uint pchCookieData = 0;
            string url = UriToString(uri);
            uint flag = (uint)INativeMethods.InternetFlags.INTERNET_COOKIE_HTTPONLY;             //Gets the size of the string builder     
            if (INativeMethods.InternetGetCookieEx(url, null, null, ref pchCookieData, flag, IntPtr.Zero))
            {
                pchCookieData++;
                StringBuilder cookieData = new StringBuilder((int)pchCookieData);                 //Read the cookie     
                if (INativeMethods.InternetGetCookieEx(url, null, cookieData, ref pchCookieData, flag, IntPtr.Zero))
                {
                    DemandWebPermission(uri);
                    return cookieData.ToString();
                }
            }             int lastErrorCode = Marshal.GetLastWin32Error();             if (throwIfNoCookie || (lastErrorCode != (int)INativeMethods.ErrorFlags.ERROR_NO_MORE_ITEMS))
            {
                throw new Win32Exception(lastErrorCode);
            }             return null;
        }         private static void DemandWebPermission(Uri uri)
        {
            string uriString = UriToString(uri);             if (uri.IsFile)
            {
                string localPath = uri.LocalPath;
                new FileIOPermission(FileIOPermissionAccess.Read, localPath).Demand();
            }
            else
            {
                new WebPermission(NetworkAccess.Connect, uriString).Demand();
            }
        }         private static string UriToString(Uri uri)
        {
            if (uri == null)
            {
                throw new ArgumentNullException("uri");
            }             UriComponents components = (uri.IsAbsoluteUri ? UriComponents.AbsoluteUri : UriComponents.SerializationInfoString);
            return new StringBuilder(uri.GetComponents(components, UriFormat.SafeUnescaped), 2083).ToString();
        }
    }
}

  

Cookie中的HttpOnly的更多相关文章

  1. django-会话 cookie 中缺少HttpOnly 属性-安全加强

    如果django程序扫描到会话 cookie 中缺少 HttpOnly 属性问题,需要如何进行安全加强? https://docs.djangoproject.com/en/2.2/ref/setti ...

  2. 会话cookie中缺少HttpOnly属性 解决

    会话cookie中缺少HttpOnly属性 解决   只需要写一个过滤器即可 1 package com.neusoft.streamone.framework.security.filter; 2 ...

  3. Cookie中的HttpOnly详解

    详见:http://blog.yemou.net/article/query/info/tytfjhfascvhzxcyt377 1.什么是HttpOnly? 如果您在cookie中设置了HttpOn ...

  4. Cookie中的httponly的属性和作用

    1.什么是HttpOnly? 如果cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,窃取cookie内容,这样就增加了cookie的安 ...

  5. Cookie中设置了 HttpOnly,Secure 属性,有效的防止XSS攻击,X-Frame-Options 响应头避免点击劫持

    属性介绍: 1) secure属性当设置为true时,表示创建的 Cookie 会被以安全的形式向服务器传输(ssl),即 只能在 HTTPS 连接中被浏览器传递到服务器端进行会话验证, 如果是 HT ...

  6. Cookie中存放数据l加密解密的算法

    public class CookieUtil { /** * * @param response HttpServletResponse类型的响应 * @param cookie 要设置httpOn ...

  7. Appscan漏洞 之 加密会话(SSL)Cookie 中缺少 Secure 属性

    近期 Appscan扫描出漏洞 加密会话(SSL)Cookie 中缺少 Secure 属性,已做修复,现进行总结如下: 1.1.攻击原理 任何以明文形式发送到服务器的 cookie.会话令牌或用户凭证 ...

  8. .NET跨平台之旅:ASP.NET Core从传统ASP.NET的Cookie中读取用户登录信息

    在解决了asp.net core中访问memcached缓存的问题后,我们开始大踏步地向.net core进军——将更多站点向asp.net core迁移,在迁移涉及获取用户登录信息的站点时,我们遇到 ...

  9. js获取cookie中存储的值

    最近看了试卷题目发现自己会的十分的匮乏, 第一题就把自己难住了,知道有这个东西,但是实际上没有操作过. ========================================= cookie ...

随机推荐

  1. jmeter待解决55大问题

    客户交付一个性能测试项目,阐述实施流程. 解释5个常用的性能指标的名称与具体含义. 写出5个jmeter中常用函数,并对其中2个举例说明用法. 简述jmeter的工作原理? 什么是集合点?设置集合点有 ...

  2. 如何更改sdk版本

  3. 【2019.11.20】SDN上机第4次作业

    安装OpenDayLight控制器 配置JAVA环境 https://www.opendaylight.org/ 在官网进行下载OpenDayLight控制器 启动OpenDayLight控制器和安装 ...

  4. (转载)OpenStack client 调用分析

    https://blog.csdn.net/yenai2008/article/details/72722038?utm_source=itdadao&utm_medium=referral# ...

  5. hdu5438 Ponds[DFS,STL vector二维数组]

    目录 题目地址 题干 代码和解释 参考 题目地址 hdu5438 题干 代码和解释 解答本题时参考了一篇代码较短的博客,比较有意思,使用了STL vector二维数组. 可以结合下面的示例代码理解: ...

  6. 团队作业-Alpha(4/4)

    队名:软工9组 组长博客:https://www.cnblogs.com/cmlei/ 作业博客:https://edu.cnblogs.com/campus/fzu/SoftwareEngineer ...

  7. 剑指offer:字符流中第一个不重复的字符

    题目描述: 请实现一个函数用来找出字符流中第一个只出现一次的字符.例如,当从字符流中只读出前两个字符"go"时,第一个只出现一次的字符是"g".当从该字符流中读 ...

  8. Selenium自动化对非输入框的日历或日期控件的处理

    4.这个时候我们可以移除readonly的属性,问题就轻轻松松解决了,代码如下: String js = "document.getElementById('createTime').rem ...

  9. pg执行计划分析小笔记

    开发同事问,为什么一个标量子查询,放在where子句后进行大小判断,比不放在where子句后进行判断大小运行的更快?按道理加了一次判断,不是应该变慢么? 把语句拿过来,看了一下两个语句的执行计划: 语 ...

  10. 事务管理(ACID)和事务的隔离级别

    https://blog.csdn.net/dengjili/article/details/82468576 谈到事务一般都是以下四点 原子性(Atomicity)原子性是指事务是一个不可分割的工作 ...