cookie httponly屬性
阿新 • • 發佈:2019-01-30
http://blog.csdn.net/u014538198/article/details/41596735
arks the cookie as accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
擁有 httponly 屬性的cookie只能通過http協議訪問,這也就意味著該cookie將不再允許通過指令碼語言(如javascript)進行訪問,本屬性的設定能有效的減少XSS(跨站點指令碼攻擊),儘管該屬性尚不能被所有瀏覽器所支援。
PHP httponly屬性設定
1、PHPSESSIONID 設定
開啟檔案php.ini,修改如下:
Php程式碼
- session.cookie_httponly =1
2、自定義cookie的設定
bool setcookie ( string $name [, string $value [, int $expire =
0 [, string $path [, string $domain [, bool $secure =
false [, bool $httponly = false ]]]]]] )
轉自:http://huangqiqing123.iteye.com/blog/1912588