cookie httponly属性
Marks the cookie as accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
拥有 httponly 属性的cookie只能通过http协议访问,这也就意味着该cookie将不再允许通过脚本语言(如javascript)进行访问,本属性的设置能有效的减少XSS(跨站点脚本攻击),尽管该属性尚不能被所有浏览器所支持。
PHP httponly属性设置
1、PHPSESSIONID 设置
打开文件php.ini,修改如下:
Php代码
- session.cookie_httponly =1
2、自定义cookie的设置
bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )
http://blog.csdn.net/u014538198/article/details/41596945 常见Web安全漏洞
