zoukankan      html  css  js  c++  java
  • HttpOnly

    The goal of this section is to introduce, discuss, and provide language specific mitigation techniques for HttpOnly.

    Who developed HttpOnly? When?

    According to a daily blog article by Jordan Wiens, “No cookie for you!”, HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1.

    What is HttpOnly?

    According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

    • The example below shows the syntax used within the HTTP response header:

    Set-Cookie: `=``[; ``=``]` `[; expires=``][; domain=`<domain_name>`]` `[; path=`<some_path>`][; secure][; HttpOnly]`

    If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

    If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. Mitigating.

    Using .NET to Set HttpOnly

    - By *default*, **.NET 2.0** sets the HttpOnly attribute for

    1. Session ID

    2. Forms Authentication cookie

    In .NET 2.0, HttpOnly can also be set via the HttpCookie object for all custom application cookies - Via **web.config** in the system.web/httpCookies element `<httpCookies httpOnlyCookies="true" …> ` -

    Or **programmatically**

    C# Code: `HttpCookie myCookie = new HttpCookie("myCookie");` `myCookie.HttpOnly = true;` `Response.AppendCookie(myCookie);`

    VB.NET Code: `Dim myCookie As HttpCookie = new HttpCookie("myCookie")` `myCookie.HttpOnly = True` `Response.AppendCookie(myCookie)` -

    However, in **.NET 1.1**, you would have to do this *manually*, e.g., `Response.Cookies[cookie].Path += ";HttpOnly";` 

    HttpCookie.HttpOnly Property

    Gets or sets a value that specifies whether a cookie is accessible by client-side script.

    Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.

    Caution

    Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.

    For more information on possible attacks and how this property can help mitigate them, see Mitigating Cross-site Scripting With HTTP-only Cookies.

  • 相关阅读:
    log4j 使用笔记整理中
    执行bat文件
    excel让每个单元格的宽度随着字体自动变动的两种方式(有更好方法的大神,请忽略,求评论下)
    XML中CDATA及其字符实体的使用
    Java文件读写操作指定编码方式。。。。。
    尾数为0零BigDecimal不能装成正常数
    jquery 自动补全控件(支持IE6)待整理
    $.ajax提交,后台接受到的值总是乱码?明天再总结
    js定义变量需赋予初始值
    存储过程的优缺点
  • 原文地址:https://www.cnblogs.com/chucklu/p/12836457.html
Copyright © 2011-2022 走看看