在服务器端的cookie上设置HttpOnly是否会影响在浏览器中创建的cookie?
[英]Does setting HttpOnly on cookies on the server side affect cookies created in the browser?
问题描述
I'm managing a server and have been looking into setting HttpOnly for my cookies. 
我正在管理服务器,一直在考虑为Cookie设置HttpOnly。
While I don't have any cookies which are interacted with on both the server and client side, would enabling this option for all cookies prevent client-side generated cookies from being accessed on subsequent page loads? 虽然我在服务器端和客户端都没有与之交互的cookie,但是是否为所有cookie启用此选项会阻止客户端生成的cookie在后续页面加载时被访问?
To clarify, this would be set as a server option. 为了澄清,这将被设置为服务器选项。 I'm using Apache so this would be something like: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure in the Apache config. 我正在使用Apache,因此类似于: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure在Apache配置中Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 。
Additionally, the question is based on using cookies for data storage. 此外,问题是基于使用cookie进行数据存储。 LocalStorage is outside of the question's context, even if it is a superior method to storing data purely used on the client side. LocalStorage不在问题的上下文范围内,即使它是存储纯粹在客户端使用的数据的高级方法。
1 个解决方案
解决方案1
2 已采纳 2015-07-02 14:42:54
Would enabling this option for all cookies prevent client-side generated cookies from being accessed on subsequent page loads?
Yes. 是。 JS cannot access the values of cookies that the server response tagged with HttpOnly , and it cannot write new values to them either. JS无法访问服务器响应使用HttpOnly标记的cookie的值,也无法向其中写入新值。
I haven't found out what exactly happens when JS tries to write to one nonetheless, browsers seem to shadow the http-sent one with a locally stored one that is only accessible by the clientside script. 但是,我还没有发现当JS尝试写一个消息时到底发生了什么,浏览器似乎用本地存储的,只能由客户端脚本访问的一个消息遮盖了HTTP发送的消息。 I wouldn't rely on this behaviour though, the write might simply be ignored. 虽然我不会依赖此行为,但是写入可能会被忽略。 In older browsers there seem to have been bugs where the http-only cookie was written to. 在较旧的浏览器中,似乎存在一些仅HTTP cookie被写入的错误。
However, there is no way to enable HttpOnly for all cookies. 但是,无法为所有 cookie启用HttpOnly 。 You have to set it on every exchanged cookie individually, so this option will be only enabled for those cookies that the server does sent to the client with that flag. 您必须分别在每个交换的cookie上设置它,因此仅对服务器确实通过该标志发送给客户端的cookie启用此选项。
So if you are configuring your Apache to enable that flag on all outgoing cookies, it still depends on whether your server application does mirror all the cookies sent by the client. 因此,如果将Apache配置为在所有传出的Cookie上启用该标志,则仍然取决于服务器应用程序是否镜像客户端发送的所有Cookie。 Usually it would not, and send only the cookies it does want to set (for itself, to be used on the server). 通常不会,并且仅发送它确实要设置的cookie(就其本身而言,将在服务器上使用)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.