堆栈内存溢出
  简体   繁体   English

如何使JavaScript Cookie安全。 我已经尝试过使用正则表达式来保护url和cookie值,但是没有人在工作

[英]How to make javascript cookie secure. I have tried the regex for securing the url and cookie value but no one is working

 原文  2018-07-12 07:27:50       javascript

问题描述

This is my cookie code. 这是我的cookie代码。 

var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000));   // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ window.location.href + ";" + expires;

Tried this for validating 尝试此验证 

var campaignId ="someCookieValue";  
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000));   // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var value = new RegExp(/^[a-zA-Z0-9\-_\.:]*$/);
if(value.test(campaignId))
    document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
var expression =/[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var pattern = new RegExp(expression);
var cookieValue = window.location.href;
if(cookieValue){
    if(value.test(cookieValue)) {
        cookieValue = encodeURIComponent(cookieValue);
        document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
    }
}

I'm getting issue in fortify scan on document.cookie like the method lambda() in main.js includes unvalidated data in an HTTP cookie on line 486. This enables Cookie manipulation attacks and can lead to other HTTP Response header manipulation attacks like: cache-poisoning , cross-site scripting , cross-user defacement , page hijacking or open redirect . 我在对document.cookie进行强化扫描时遇到问题,例如main.js lambda()方法在第486行的HTTP cookie中包含未验证的数据。这会启用Cookie操纵攻击,并可能导致其他HTTP Response标头操纵攻击,例如: cache-poisoningcross-site scriptingcross-user defacementpage hijackingopen redirect

1 个解决方案

解决方案1
 0  2018-07-12 12:07:10

Found the solution. 找到了解决方案。 I encripted my cookie values by an external cryptoJs and fortify scan issue resolved. 我通过外部cryptoJs对cookie值进行了加密,并解决了扫描问题。 

var campaignId ="someCookieValue";
    var mySecret ="mysecret";
    var d = new Date();
            d.setTime(d.getTime() + (365*24*60*60*1000));   // SET COOKIE EXPIRY TO 365 days.
            var expires = "expires="+ d.toUTCString();
            var mySecret ="mysecret";
            var cookieValue = window.location.href;
            //Here I added encryption
            campaignId = CryptoJS.AES.encrypt(campaignId, mySecret);
            cookieValue = CryptoJS.AES.encrypt(cookieValue, mySecret); //end
            document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
            document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我只能使Cookie在JavaScript中具有一个值 - I can only make a cookie have one value in javascript 如何使用JavaScript中的XMLHttpRequest更改“ Cookie”(在标头字段中)中一个cookie的值? - How do I change the value of one cookie in 'Cookie' (in the header field) with XMLHttpRequest in JavaScript? JavaScript我如何制作Cookie / + 1动画 - JavaScript how can i make a cookie/+1 animation PHP Cookie安全的JavaScript - php cookie secure javascript 如何使用 javascript 设置 cookie 安全标志 - How to set cookie secure flag using javascript 如何编辑安全 cookie? - how to edit a secure cookie? 如何基于读取的cookie值使超链接指向不同的URL? - How to make a hyperlink point to different url based on a read cookie value? 如何使动态值不是 cookie - How to make a dynamic value not a cookie 如何将JavaScript值传递给Cookie - How to pass javascript value to cookie 如何使用JavaScript读取Cookie值? - How to read cookie value with javascript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM