httpOnly cookie flag support in PHP 5.2
http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html
Thanks to a patch from Scott
MacVicar that I've just applied to CVS, PHP 5.2 will have support for
httpOnly cookie flag. This neat little feature allows you to mark a
newly created cookie as HTTP only, another words inaccessible to
browser based scripting languages such as JavaScript. This means it
would become far more difficult, if not impossible to steal a user's
cookie based session by injecting JavaScript into a page and then using
to read cookies.
This flag can be toggled by passing TRUE as the 7th parameter to the
setcookie() and the setrawcookie() functions respectively. Ex:
PHP:
<?
php
setcookie
(
"abc"
,
"test"
,
NULL
,
NULL
,
NULL
,
NULL
,
TRUE
);
setrawcookie
(
"abc"
,
"test"
,
NULL
,
NULL
,
NULL
,
NULL
,
TRUE
);
?>
The support of the httpOnly flag extends to the session extension as
well, where it can be enabled by setting the session.cookie_httponly
INI setting to 1. Or passing TRUE as the 5th parameter to the
session_set_cookie_params() function.
PHP:
<?
php
ini_set
(
"session.cookie_httponly"
,
1
);
// or
session_set_cookie_params
(
0
,
NULL
,
NULL
,
NULL
,
TRUE
);
?>
Unfortunately, at this time according to my tests no other browser has
adopted this rather handy feature, but with the continual increase of
XSS attacks, I am sure they'll adopt this concept soon.
For people using PHP 4 and PHP 5.1 you can add this flag yourself by
sending cookies manually via the header function and prefixing the
;httpOnly flag to the cookie as shown in the example below:
PHP:
<?
php
header
(
"Set-Cookie: hidden=value; httpOnly"
);
?>
Ïà¹ØÎĵµ£º
PHP¶àÓû§ÔÚÏß¿Í·þϵͳ£¬ºǫ́ÓдúÂëÏâǶµ½ÄãµÄϵͳÖУ¬²»¹ýÕâ¸öÊÇÓ¢Îĵģ¬¸Ð¾õºÜʵÓ㬼ò½à£¬·½±ã£¬ÐèÒªµÄ¿ÉÒÔ×Ô¼ººº»¯£¬²»¾ÍÊǸÄÀïÃæµÄһЩÌáʾÐÅÏ¢ÂµØÖ·ÊÇ£ºhttp://mibew.org/
£¬Õâ¸öÊÇ¿ªÔ´µÄ£¬Ö§³Ö¶àÓû§Í¬Ê±ÔÚÏßÁªÏµ¿Í·þ£¬¿Í·þºǫ́¼°Ê±ÐÔºÜÇ¿£¬Ö»ÒªÓû§µã»÷ÔÚÏß¿Í·þ£¬ºǫ́¾ÍÓÐÌáʾ£¬¶øÇÒ¿ÉÒԲ鿴ÁÄÌì¼Ç¼£¬ºÜ¶àʵÓà ......
PHPµ÷ÊÔ»·¾³·Ç³£Âé·³,¶øÇÒÖÖÀàÆä¶à.ÍøÉϵÄÏà¹ØÎÄÕÂÌ«¶àÁË,µ«ÓÉÓÚʱЧµÄÎÊÌâ,²¢²»ÄÜÓÃ.
½ñÌìÕÒµ½Ò»ÆªÎÄÕÂ,ÓÚ2009Äê12ÔÂ17ÈÕ²âÊÔ¿ÉÓÃ.µ«Ê¹ÓÃPDT֮ǰ,Ðè×°JDK,¿Éµ½http://www.skycn.com/soft/3116.htmlÏÂÔØ
ÎÄÕµØÖ·:http://blog.csdn.net/yuhui_fish/archive/2009/03/29/4033397.aspx
ÄÚÈÝÈçÏÂ:
×î½üÔÚÓÃphp£¬ÅäÖúÜÂé·³£ ......
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> TEST </title>
<meta name="generator" content="editplus" />
......
2009-08-03 16:05
|
6456´ÎÔĶÁ
|
¡¾ÒÑÓÐ2
ÌõÆÀÂÛ¡¿·¢±íÆÀÂÛ
¹Ø¼ü´Ê£ºPHP
| ¸Ðлydj9931
µÄÌṩ
|
ÊÕ²ØÕâƪÐÂÎÅ
¡¾Csdn
8ÔÂ3ÈÕ±¨µÀ¡¿PHP³ÉΪÊÀ½çÉÏ×îÁ÷ÐеĽű¾ÓïÑÔÓÐÐí¶àÔÒò£ºÁé»îÐÔ£¬Ò×ÓÃÐԵȵȡ£µ«Í¨³£Ö»ÓÃPHP»òÕßÆäËûÓïÑÔ±àÂë¾Í»áÏԵõ¥µ÷¡¢Öظ´£¬Õâ ......
HTTP Only cookies without PHP 5.2
by Matt Mecham
on September 12, 2006
For a while, Microsoft have had a flag
for cookies called ‘httponly’. This doesn’t sound particularly
exciting, but it is a vital step forward for web application security.
This flag tells Internet Expl ......
