1.什么是HttpOnly?
如果您在cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,具体一点的介绍请google进行搜索
2.HttpOnly的设置样例
1
2
| response.setHeader("Set-Cookie", "cookiename=value;
Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");
|
具体参数的含义再次不做阐述,设置完毕后通过js脚本是读不到该cookie的,但使用如下方式可以读取
1
| Cookie cookies[]=request.getCookies();
|
下面测试一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| <%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
<%
response.setHeader("Set-Cookie",
"sessionId=abc;Path=/;Max-Age=20*60*1000;");
%>
</head>
<body>
<script>
alert(getCookie('sessionId'));
function getCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ' ')
c = c.substring(1, c.length);
if (c.indexOf(nameEQ) == 0)
return c.substring(nameEQ.length, c.length);
}
return null;
}
</script>
</body>
</html>
|
运行结果为: abc
下面改成HttpOnly看看
1
2
| response.setHeader("Set-Cookie",
"sessionId=abc;Path=/;Max-Age=20*60*1000;HttpOnly");
|
运行结果为:null
