简体繁体 English

如何使用 JavaScript 读取 HttpOnly cookie

[英]How to read a HttpOnly cookie using JavaScript

原文 2011-11-09 11:24:52 2 3 javascript/ security/ cookies

EDIT编辑

What one means by "a secure cookie" is ambiguous. “安全cookie”的含义是模棱两可的。 To clarify:澄清：

Secure as in sent over the https:// protocol — ie.安全如通过https://协议发送 - 即。 cookie is not sent in plaintext. cookie不是以明文形式发送的。 Known as the "secure flag"被称为“安全标志”
Secure as in the cookie cannot be read by Javascript running in the browser — ie.浏览器中运行的 Javascript 无法读取 cookie 中的安全 - 即。 document.cookie will not work. document.cookie将不起作用。 Known as the "HttpOnly" flag.称为“HttpOnly”标志。

This edit is to clarify that the original question is asking about the 2nd case.此编辑是为了澄清原始问题是在询问第二种情况。

Original Question原始问题

Is there any way to read a secure cookie with JavaScript?有什么方法可以使用 JavaScript 读取安全 cookie？
I tried to do it using document.cookie and as far as I can see on this article about secure cookies and HttpOnly flag , I cannot access a secure cookie this way.我尝试使用document.cookie来做到这一点，据我在这篇关于安全 cookie 和 HttpOnly 标志的文章中看到的，我无法以这种方式访问安全 cookie。

Can anyone suggest a workaround?任何人都可以提出解决方法吗？

3 个解决方案

Different Browsers enable different security measures when the HTTPOnly flag is set. 当设置 HTTPOnly 标志时，不同的浏览器启用不同的安全措施。 For instance Opera and Safari do not prevent javascript from writing to the cookie.例如 Opera 和 Safari 不会阻止 javascript 写入 cookie。 However, reading is always forbidden on the latest version of all major browsers.但是，在所有主要浏览器的最新版本上始终禁止阅读。

But more importantly why do you want to read an HTTPOnly cookie?但更重要的是，为什么要读取HTTPOnly cookie？ If you are a developer, just disable the flag and make sure you test your code for xss.如果您是开发人员，只需禁用该标志并确保您针对 xss 测试您的代码。 I recommend that you avoid disabling this flag if at all possible.我建议您尽可能避免禁用此标志。 The HTTPOnly flag and "secure flag" (which forces the cookie to be sent over https) should always be set.应始终设置HTTPOnly标志和“安全标志”（强制通过 https 发送 cookie）。

If you are an attacker , then you want to hijack a session .如果您是攻击者，那么您想劫持一个会话。 But there is an easy way to hijack a session despite the HTTPOnly flag.但是，尽管有HTTPOnly标志，但仍有一种简单的方法可以劫持会话。 You can still ride on the session without knowing the session id.您仍然可以在不知道会话 ID 的情况下乘坐会话。 The MySpace Samy worm did just that. MySpace Samy 蠕虫就是这样做的。 It used an XHR to read a CSRF token and then perform an authorized task.它使用XHR读取CSRF令牌，然后执行授权任务。 Therefore, the attacker could do almost anything that the logged user could do.因此，攻击者几乎可以做任何登录用户可以做的事情。

People have too much faith in the HTTPOnly flag, XSS can still be exploitable.人们对HTTPOnly标志过于信任， XSS仍然可以被利用。 You should setup barriers around sensitive features.您应该围绕敏感功能设置障碍。 Such as the change password filed should require the current password.如更改密码字段应要求当前密码。 An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR .管理员创建新帐户的能力应该需要验证码，这是一种CSRF 预防技术，不能用XHR轻易绕过。

The whole point of HttpOnly cookies is that they can't be accessed by JavaScript. HttpOnly cookie 的全部意义在于 JavaScript 无法访问它们。

The only way (except for exploiting browser bugs) for your script to read them is to have a cooperating script on the server that will read the cookie value and echo it back as part of the response content.让您的脚本读取它们的唯一方法（利用浏览器错误除外）是在服务器上有一个协作脚本，该脚本将读取 cookie 值并将其作为响应内容的一部分回显。 But if you can and would do that, why use HttpOnly cookies in the first place?但是，如果您可以并且愿意这样做，为什么首先要使用 HttpOnly cookie？

You can not.你不能。 Httponly cookies' purpose is being inaccessible by script.脚本无法访问 Httponly cookie 的目的。

One of the ways is to use safari web inspector, and in storage tab you can see all cookies, httpOnly or not, and just select the cookie Command+C, to copy it. 一种方法是使用Safari Web检查器，在“存储”选项卡中，您可以看到所有cookie（无论是否为httpOnly），只需选择Command + C即可复制它。

Once you have the string you can easily parse it back with any cookie parser or plain javascript. 有了字符串后，您可以轻松地使用任何cookie解析器或纯JavaScript解析它。

Going straight to your question, CanActivate or RouteGuard is not a must to prevent user from navigating to Admin routes because of the nature of cookie based auth.直接回答您的问题，由于基于 cookie 的身份验证的性质，CanActivate 或 RouteGuard 不是阻止用户导航到 Admin 路由的必要条件。 You first have to login in order to get the cookie, if your domain and credentials checkouts, the next request will be the user with the credentials set to true.您首先必须登录才能获取 cookie，如果您的域和凭据签出，则下一个请求将是凭据设置为 true 的用户。 If the cookies matches, the user data will be returned, otherwise will be an error (unauthenticated 401).如果cookies匹配，则返回用户数据，否则会报错（unauthenticated 401）。 All you have to do is check for the user, after subscribe, if you fall into next, then they can proceed, if they fall in error then they will be redirected to login.您所要做的就是检查用户，订阅后，如果您进入下一个，那么他们可以继续，如果他们出错，那么他们将被重定向到登录。

The scenario above assumes that you have two layout components, one for Admin and another for public.上面的场景假设您有两个布局组件，一个用于 Admin，另一个用于公共。 The AdminLayout component will contain the router-outlet for all the children routes under admin. AdminLayout 组件将包含 admin 下所有子路由的路由器出口。 When you login, if you succeed, you are redirected to the dashboard or home.当您登录时，如果成功，您将被重定向到仪表板或主页。 To get to the dashboard, you have to go through AdminLayout, once you get to AdminLayout you get the user, if you succeed, move on, if not, return to login.要进入仪表板，您必须通过 AdminLayout，一旦进入 AdminLayout，您将获得用户，如果成功，则继续，否则，返回登录。

As final remark, Cookie Auth is not more secure than JWT toke, everything has advantage and disadvantages.最后要说的是，Cookie Auth 并不比 JWT 令牌更安全，一切都有利有弊。