[英]How Can I Force HttpOnly FALSE On Cookies So JavaScript Can Read Them With PHP Cross-Domain?
I need highly promiscuous cookies on X.com because security is not a concern. 我不需要X.com上高度混杂的cookie,因为安全性不是问题。 How can I enforce HttpOnly to be false on cookies made in domain X.com, so that JavaScript on AnyRandomUnexpectedDomain.com can call X.com/readCookie.php and readCookie.php can send back the data in X.com cookies?
如何在域X.com中制作的Cookie上强制HttpOnly为false,以便AnyRandomUnexpectedDomain.com上的JavaScript可以调用X.com/readCookie.php,而readCookie.php可以将X.com cookie中的数据发送回去?
readCookie.php has header("Access-Control-Allow-Origin: *") and the nginx web server has Access-Control-Allow-Origin wide open as well. readCookie.php具有标头(“ Access-Control-Allow-Origin:*”),nginx Web服务器也具有完全打开的Access-Control-Allow-Origin。 In php.ini session.cookie_httponly = 0, but of course, that is only for sessions, not permanent cookies.
在php.ini中,session.cookie_httponly = 0,但这当然仅用于会话,而不是永久性cookie。 With this setup, remote execution calls and AJAX data flow cross-domain are working properly, but the only problem is the $_COOKIE["auth"] call added to readCookie.php returns nothing, even when the auth cookie is created with HttpOnly explicitly set to FALSE, like this:
使用此设置,远程执行调用和AJAX数据流跨域工作正常,但是唯一的问题是添加到readCookie.php的$ _COOKIE [“ auth”]调用不返回任何内容,即使使用HttpOnly显式创建了auth cookie设置为FALSE,如下所示:
setcookie("auth",$secret,time()+3600*24*365,"/",null,false,false);
What else is needed in the code, web server, PHP, etc., so that $_COOKIE["auth"] returns the value of the X.com cookie to AnyRandomUnexpectedDomain.com? 代码,Web服务器,PHP等中还需要什么,以便$ _COOKIE [“ auth”]将X.com cookie的值返回给AnyRandomUnexpectedDomain.com?
I use session_set_cookie_params
for setting cookie. 我使用
session_set_cookie_params
设置cookie。 This is the code I use. 这是我使用的代码。
$session_name = 'somesessionname';
$secure = false; //for https
$httponly = false; //as per use in javascript
if (ini_set('session.use_only_cookies', 1) === FALSE) {
//err=Could not initiate a safe session
exit();
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure, $httponly);
session_name($session_name);
session_start();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.