PHP会话参数安全且使用httpOnly
[英]PHP session params secure and httpOnly
问题描述
My sysadmin made a scan and told me that I should activate the secure parameter for PHP sessions (the site is using HTTPS). 
我的系统管理员进行了扫描,并告诉我应该为PHP会话激活secure参数(该站点正在使用HTTPS)。
We found that people also used httpOnly at the same time, but that seems to be a bit contradictory. 我们发现人们也同时使用了httpOnly ,但这似乎有点矛盾。 What should I do? 我该怎么办? Activate both, or only secure ? 既激活,或仅secure ?
2 个解决方案
解决方案1
2 已采纳 2015-03-06 10:42:20
It is definitely best practice to set both flags. 最好同时设置两个标志。
Secure means that client web browser will send back to server cookie with session id only if https protocol is used. 安全意味着仅当使用https协议时,客户端Web浏览器才会使用会话ID发送回服务器cookie。
HttpOnly means that client browser will block access to cookie from JavaScript. HttpOnly意味着客户端浏览器将阻止从JavaScript访问cookie。 It protects your users from session stealing (ie. in case you have an XSS vulnerability on your website). 它可以保护您的用户免遭会话窃取(例如,如果您的网站上存在XSS漏洞)。
解决方案2
1 2015-03-06 10:36:57
httponly has nothing (well for the most part) to do with whether or not you are using https...yes you should enable both. httponly与您是否使用https没有关系(大部分情况下)……是的,您应该同时启用两者。 See https://www.owasp.org/index.php/HttpOnly for more info on httponly. 有关httponly的更多信息,请参见https://www.owasp.org/index.php/HttpOnly 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.