For HttpOnly's analysis of XSS to obtain cookie information, please refer to Kenshin's writing: Using httpOnly to improve application security.
Settings in javaEE:
There is no specific operation method or function attribute provided in the API, and I don't know if it will be provided in future versions, the following is a workaround:
————————————————————————————–
response.setHeader(”Set-Cookie”, “cookiename=value;
Path=/; Domain=neeao.com; Max-Age=seconds; HTTPOnly”);
————————————————————————————–
Settings in ASP.NET
.net 2.0 and above versions support configuring the global httponly in the Web.config file, which is set as follows, just add a node to the web.config:
------------------------------------------------------------------
<httpCookies httpOnlyCookies="true" />
------------------------------------------------------------------
In the .net 2.0 or later cookie object, there is a direct HttpOnly parameter for calling, and the usage method is as follows:
C# code:
------------------------------------------------------------------
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
-------------------------------------------------------------------
vb.net code
-------------------------------------------------------------------
Dim myCookie As HttpCookie = new HttpCookie("myCookie")
myCookie.HttpOnly = True
Response.AppendCookie(myCookie)
-------------------------------------------------------------------
In asp.net 1.1 you can also set the global cookies HttpOnly to add in the Application_EndRequest event of the application node of the global file Global.asax:
-------------------------------------------------------------------
protected void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = FormsAuthentication.FormsCookieName;
foreach (string sCookie in Response.Cookies)
{
if (sCookie.Equals(authCookie))
{
Response.Cookies[sCookie]. Path += "; HttpOnly";
}
}
}
-------------------------------------------------------------------
If you write it in the code, you need to add it like this:
--------------------------------------------
Response.Cookies[cookie]. Path += "; HTTPOnly";
---------------------------------------------
settings in PHP
PHP5.2 and above versions already support the setting of HttpOnly parameters, and also support the setting of global HttpOnly in php.ini
-----------------------------------------------------
session.cookie_httponly =
-----------------------------------------------------
Set its value to 1 or TRUE to enable the HttpOnly attribute of the global cookie, and of course you can also enable it in the code:
-----------------------------------------------------
<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>
-----------------------------------------------------
The cookie operation function setcookie function and the setrawcookie function also add the 7th parameter as an option for HttpOnly, and the opening method is:
-------------------------------------------------------
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
-------------------------------------------------------
For PHP versions before 5.1 and PHP4 versions, you need to use the header function to make changes:
-------------------------------------------------------------
<?php
header("Set-Cookie: hidden=value; httpOnly");
?>
-------------------------------------------------------------
ASP
There are no relevant methods provided in the built-in objects of asp, so you can only implement it as a workaround:
-----------------------------------------------------<%
‘**************************************************
'ASP output httponly cookie IE6.0 or above browser support
‘WDFrog
‘2009-04-15
‘<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″>
‘**************************************************
‘———-SetHttpOnlyCookie—————————————-
'Function: Set HttpOnly Cookies
'Parameters: expDate is the expiration of the warranty, 0 means not set, and set to a certain time in the past means clearing
'argument: domain is empty (string. Empty) means not set
‘——————————————————————-
Function SetHttpOnlyCookie(cookieName,cookieValue,domain,path,expDate)
Dim cookie
cookie=cookieName & “=” & Server.URLEncode(cookieValue) & “; path=” & path
If expDate <> 0 Then
cookie=cookie & “; expires=” & DateToGMT(expDate)
End If
If domain <> “” Then
cookie=cookie & “; domain=” & domain
End If
cookie=cookie & “; HttpOnly”
Call Response.AddHeader (”Set-Cookie”, cookie)
End Function
‘————-getGMTTime————
'Parameters: sDate is the time that needs to be converted to GMT
‘———————————
Function DateToGMT(sDate)
Dim dWeek,dMonth
Dim strZero,strZone
strZero=”00″
strZone=”+0800″
dWeek=Array(”Sun”,”Mon”,”Tue”,”Wes”,”Thu”,”Fri”,”Sat”)
dMonth=Array(”Jan”,”Feb”,”Mar”,”Apr”,”May”,”Jun”,”Jul”,”Aug”,”Sep”,”Oct”,”Nov”,”Dec”)
DateToGMT = dWeek(WeekDay(sDate)-1)&”, “&Right(strZero&Day(sDate),2)&” “&dMonth(Month(sDate)-1)&” “&Year(sDate)&” “&Right(strZero&Hour(sDate),2)&”:”&Right(strZero&Minute( sDate),2)&”:”&Right(strZero&Second(sDate),2)&” “&strZone
End Function
' reference
‘Call SetHttpOnlyCookie(”cookieOnly1″,”onlyValue”,”.xxx.com”,”/”,0)
%>
----------------------------------------------------
References:
1.http://www.owasp.org/index.php/HTTPOnly
2.http://blogs.msdn.com/dansellers/archive/2006/03/13/550947.aspx
3.http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html
4.http://www.asp101.com/tips/index.asp?id=160
5.http://www.cnblogs.com/wdfrog/archive/2009/04/15/1436493.html |
Posted on 6/3/2015 9:02:38 PM
|
|
|
