Cookie中的HttpOnly

1.什么是HttpOnly?

如果您在cookie中设置了HttpOnly属性，那么通过js脚本将无法读取到cookie信息，这样能有效的防止XSS攻击，具体一点的介绍请google进行搜索

2.javaEE的API是否支持?

目前sun公司还没有公布相关的API，但PHP、C#均有实现。搞javaEE的兄弟们比较郁闷了，别急下文有变通实现

3.HttpOnly的设置样例

javaEE

1 2	`response.setHeader("Set-Cookie", "cookiename=value;` `Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");`

具体参数的含义再次不做阐述，设置完毕后通过js脚本是读不到该cookie的，但使用如下方式可以读取

1	`Cookie cookies[]=request.getCookies();`

HttpCookie myCookie = new HttpCookie("myCookie");

myCookie.HttpOnly = true;

Response.AppendCookie(myCookie);

VB.NET

Dim myCookie As HttpCookie = new HttpCookie("myCookie")

myCookie.HttpOnly = True

Response.AppendCookie(myCookie)

但是在 .NET 1.1 ,中您需要手动添加

1	`Response.Cookies[cookie].Path +=` `";HTTPOnly";`

PHP4

1	`header("Set-Cookie: hidden=value; httpOnly");`

PHP5

1	`setcookie("abc",` `"test", NULL, NULL, NULL, NULL, TRUE);`

最后一个参数为HttpOnly属性

----------------------------------------------------------------------------------

webBrowser

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
 
namespace WindowsFormsApplication1
{
    /// <summary>
    /// WinInet.dll wrapper
    /// </summary>
    internal static class CookieReader
    {
 
        private const int INTERNET_COOKIE_HTTPONLY = 0x00002000;
 
        [DllImport("wininet.dll", SetLastError = true)]
        private static extern bool InternetGetCookieEx(
            string url,
            string cookieName,
            StringBuilder cookieData,
            ref int size,
            int flags,
            IntPtr pReserved);
        public static string GetCookie(string url)
        {
            int size = 512;
            StringBuilder sb = new StringBuilder(size);
            if (!InternetGetCookieEx(url, null, sb, ref size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero))
            {
                if (size < 0)
                {
                    return null;
                }
                sb = new StringBuilder(size);
                if (!InternetGetCookieEx(url, null, sb, ref size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero))
                {
                    return null;
                }
            }
            return sb.ToString();
        }
    }
}

********************************************************************************************************************************************************

using System;
using System.ComponentModel;
using System.Net;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Text; 
 
namespace CookieHandler
{
    internal sealed class INativeMethods
    {
        #region enums 
 
        public enum ErrorFlags
        {
            ERROR_INSUFFICIENT_BUFFER = 122,
            ERROR_INVALID_PARAMETER = 87,
            ERROR_NO_MORE_ITEMS = 259
        } 
 
        public enum InternetFlags
        {
            INTERNET_COOKIE_HTTPONLY = 8192, //Requires IE 8 or higher     
            INTERNET_COOKIE_THIRD_PARTY = 131072,
            INTERNET_FLAG_RESTRICTED_ZONE = 16
        } 
 
        #endregion 
 
        #region DLL Imports 
 
        [SuppressUnmanagedCodeSecurity, SecurityCritical, DllImport("wininet.dll", EntryPoint = "InternetGetCookieExW", CharSet = CharSet.Unicode, SetLastError = true, ExactSpelling = true)]
        internal static extern bool InternetGetCookieEx([In] string Url, [In] string cookieName, [Out] StringBuilder cookieData, [In, Out] ref uint pchCookieData, uint flags, IntPtr reserved); 
 
        #endregion
    }
}

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Net;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Text; 
 
namespace CookieHandler
{
    /// <SUMMARY></SUMMARY>
    /// 取得WebBrowser的完整Cookie。
    /// 因为默认的webBrowser1.Document.Cookie取不到HttpOnly的Cookie
    /// IE7不兼容，IE8可以，其它未知
    ///
    public class FullWebBrowserCookie
    {
        public static Dictionary<string, string> GetCookieList(Uri uri, bool throwIfNoCookie)
        {
            Dictionary<string, string> dict = new Dictionary<string, string>();
            string cookie = GetCookieInternal(uri, throwIfNoCookie);
            Console.WriteLine("FullWebBrowserCookie - 所有cookie:" + cookie);
            string[] arrCookie = cookie.Split(';');
            foreach (var item in arrCookie)
            {
                string[] arr = item.Split('=');
                string key = arr[0].Trim();
                string val = "";
                if (arr.Length >= 2)
                {
                    val = arr[1].Trim();
                } 
 
                if (!dict.ContainsKey(key))
                {
                    dict.Add(key, val);
                }
            }
            Console.WriteLine("FullWebBrowserCookie - cookie已载入dict，共" + dict.Count.ToString() + "项"); 
 
            return dict;
        } 
 
        public static string GetCookieValue(string key, Uri uri, bool throwIfNoCookie)
        {
            Console.WriteLine("GetCookieValue");
            Dictionary<string, string> dict = GetCookieList(uri, throwIfNoCookie); 
 
            if (dict.ContainsKey(key))
            {
                return dict[key];
            }
            return "";
        } 
 
        [SecurityCritical]
        public static string GetCookieInternal(Uri uri, bool throwIfNoCookie)
        {
            Console.WriteLine("GetCookieInternal"); 
 
            uint pchCookieData = 0;
            string url = UriToString(uri);
            uint flag = (uint)INativeMethods.InternetFlags.INTERNET_COOKIE_HTTPONLY; 
 
            //Gets the size of the string builder     
            if (INativeMethods.InternetGetCookieEx(url, null, null, ref pchCookieData, flag, IntPtr.Zero))
            {
                pchCookieData++;
                StringBuilder cookieData = new StringBuilder((int)pchCookieData); 
 
                //Read the cookie     
                if (INativeMethods.InternetGetCookieEx(url, null, cookieData, ref pchCookieData, flag, IntPtr.Zero))
                {
                    DemandWebPermission(uri);
                    return cookieData.ToString();
                }
            } 
 
            int lastErrorCode = Marshal.GetLastWin32Error(); 
 
            if (throwIfNoCookie || (lastErrorCode != (int)INativeMethods.ErrorFlags.ERROR_NO_MORE_ITEMS))
            {
                throw new Win32Exception(lastErrorCode);
            } 
 
            return null;
        } 
 
        private static void DemandWebPermission(Uri uri)
        {
            string uriString = UriToString(uri); 
 
            if (uri.IsFile)
            {
                string localPath = uri.LocalPath;
                new FileIOPermission(FileIOPermissionAccess.Read, localPath).Demand();
            }
            else
            {
                new WebPermission(NetworkAccess.Connect, uriString).Demand();
            }
        } 
 
        private static string UriToString(Uri uri)
        {
            if (uri == null)
            {
                throw new ArgumentNullException("uri");
            } 
 
            UriComponents components = (uri.IsAbsoluteUri ? UriComponents.AbsoluteUri : UriComponents.SerializationInfoString);
            return new StringBuilder(uri.GetComponents(components, UriFormat.SafeUnescaped), 2083).ToString();
        }
    }
}

Cookie中的HttpOnly的更多相关文章

django-会话 cookie 中缺少HttpOnly 属性-安全加强
如果django程序扫描到会话 cookie 中缺少 HttpOnly 属性问题,需要如何进行安全加强? https://docs.djangoproject.com/en/2.2/ref/setti ...
会话cookie中缺少HttpOnly属性解决
会话cookie中缺少HttpOnly属性解决只需要写一个过滤器即可 1 package com.neusoft.streamone.framework.security.filter; 2 ...
Cookie中的HttpOnly详解
详见:http://blog.yemou.net/article/query/info/tytfjhfascvhzxcyt377 1.什么是HttpOnly? 如果您在cookie中设置了HttpOn ...
Cookie中的httponly的属性和作用
1.什么是HttpOnly? 如果cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,窃取cookie内容,这样就增加了cookie的安 ...
Cookie中设置了 HttpOnly，Secure 属性,有效的防止XSS攻击，X-Frame-Options 响应头避免点击劫持
属性介绍: 1) secure属性当设置为true时,表示创建的 Cookie 会被以安全的形式向服务器传输(ssl),即只能在 HTTPS 连接中被浏览器传递到服务器端进行会话验证, 如果是 HT ...
Cookie中存放数据l加密解密的算法
public class CookieUtil { /** * * @param response HttpServletResponse类型的响应 * @param cookie 要设置httpOn ...
Appscan漏洞之加密会话（SSL）Cookie 中缺少 Secure 属性
近期 Appscan扫描出漏洞加密会话(SSL)Cookie 中缺少 Secure 属性,已做修复,现进行总结如下: 1.1.攻击原理任何以明文形式发送到服务器的 cookie.会话令牌或用户凭证 ...
.NET跨平台之旅：ASP.NET Core从传统ASP.NET的Cookie中读取用户登录信息
在解决了asp.net core中访问memcached缓存的问题后,我们开始大踏步地向.net core进军——将更多站点向asp.net core迁移,在迁移涉及获取用户登录信息的站点时,我们遇到 ...
js获取cookie中存储的值
最近看了试卷题目发现自己会的十分的匮乏, 第一题就把自己难住了,知道有这个东西,但是实际上没有操作过. ========================================= cookie ...

随机推荐

hdoj - 1864 最大报销额
Problem Description 现有一笔经费可以报销一定额度的发票.允许报销的发票类型包括买图书(A类).文具(B类).差旅(C类),要求每张发票的总额不得超过1000元,每张发票上,单项物品 ...
Python面向对象编程核心思想
原文地址https://blog.csdn.net/weixin_42134789/article/details/80194788 https://blog.csdn.net/happyjxt/ar ...
SQLServer replace函数
declare @name char(1000) --注意:char(10)为10位,要是位数小了会让数据出错 set @name='ssssfcfgghdghdfcccs' select repla ...
Java基础变量名的开头可以使用$
JDK :OpenJDK-11 OS :CentOS 7.6.1810 IDE :Eclipse 2019‑03 typesetting :Markdown code ...
[转]c++多线程编程之pthread线程深入理解
多线程编程之pthread线程深入理解 Pthread是 POSIX threads 的简称,是POSIX的线程标准. 前几篇博客已经能给你初步的多线程概念.在进一 ...
ISO/IEC 9899:2011 附录C——顺序点
附录C——顺序点 1.以下是在5.1.2.3中所描述的顺序点(sequence point): ——在一个函数调用中的函数指示符(function designator)和实际参数的计算,与实际调用之 ...
python2中的unicode()函数在python3中会报错：
python2中的unicode()函数在python3中会报错:NameError: name 'unicode' is not defined There is no such name in P ...
Eclipse新项目检出后报错第一步：导入lib中的jar包【我】
新检出项目报错,第一步,先看项目 web-info下的 lib目录里的包是不是都添加到项目构建中了,可以全选先添加到项目构建中,看项目是否还在报错.
【Linux】数据流重定向
数据流重定向(redirect)就是将某个命令执行后应该要出现在屏幕上的数据,给它传输到其他的地方,例如文件或设备(打印机之类的).这玩意在Linux的命令行模式下很重要,尤其是想要将某些数据存储下来 ...
ThinkPHP5最新URL访问:PATH_INFO和兼容模式
https://www.jianshu.com/p/c43fb5817ae1 http://tp5.com/index.php?s=USER/manger_user/add&n=2000&am ...

Cookie中的HttpOnly

Cookie中的HttpOnly的更多相关文章

随机推荐

热门专题