堆栈内存溢出
  简体   繁体   English

Cookie没有安全标志和HttpOnly标志设置

[英]Cookie without Secure flag and HttpOnly flag set

 原文  2012-10-23 22:27:34       php/ html/ cookies

问题描述

Recently a scan was run on one of our applications and it returned the following 1 security threats: 最近在我们的一个应用程序上运行了扫描,它返回了以下1个安全威胁:

1.Cookies NotMarked As Secure::Cookie without Secure flag set 1.Cookies NotMarked As Secure :: Cookie没有安全标志设置

2.Cookie without HttpOnly flag set::Cookiewithout HttpOnly flag set 2.Cookie没有HttpOnly标志设置:: Cookiewithout HttpOnly标志设置 

$this->cache_ptr = new CACHE($_COOKIE["sess"], 0, 0);

CACHE is an user built library that uses Sessions etc. CACHE是一个使用Sessions等的用户构建的库。

I am not sure about the right syntax to mark the cookie secure and set the cookie with HttpOnly flag. 我不确定用于标记cookie安全的正确语法并使用HttpOnly标志设置cookie。 Also, this is a legacy application running in php 4. Can someone please help me with this or point me to a resource? 此外,这是在PHP 4中运行的遗留应用程序。有人可以帮我这个或指向我的资源?

EDIT: I implemented Sven's recommendation. 编辑:我实施了斯文的推荐。 Is there a way I can test the secure functionality? 有没有办法测试安全功能?

Also,Since I am using php4(which will have to be updated eventaully) I cannot use httponly in the setcookie function. 此外,由于我使用php4(必须事先更新)我不能在setcookie函数中使用httponly。 So does that mean,I need to add the following line before setcookie function? 这是否意味着,我需要在setcookie函数之前添加以下行? 

header("Set-Cookie: hidden=value; httpOnly");

will it intefere with my setcookie function? 它会干扰我的setcookie功能吗?

2 个解决方案

解决方案1
 1 已采纳  2012-10-23 22:30:20

use setcookie() . 使用setcookie() read about it here . 在这里阅读它。 Set the sixth parameter to true to make the cookie secure. 将第六个参数设置为true以使cookie安全。

解决方案2
 1  2012-10-23 22:33:27

The code you are showing does not set the cookie. 您显示的代码不会设置cookie。 It might trigger setting a cookie, but essentially you must look at the CACHE class and see what's going on there. 它可能会触发设置cookie,但基本上你必须查看CACHE类并看看那里发生了什么。

You are looking for function calls of setcookie() , and if not found, for header('Set-Cookie...') . 您正在寻找setcookie()函数调用,如果没有找到,则查找header('Set-Cookie...')

You'll have to change setcookie() to include all the default values for the optional parameters, until at the end you set the last two to true for secure and httponly. 您必须更改setcookie()以包含可选参数的所有默认值,直到最后为secure和httponly设置最后两个为true。

Have a look at the manual: http://de1.php.net/setcookie 看一下手册: http//de1.php.net/setcookie

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 会话Cookie没有设置HttpOnly标志 - Session Cookie without HttpOnly flag set 设置一个没有domain,但带有secure和httponly的cookie。 - Set a cookie without the`domain`, but with `secure` and `httponly` 在没有 httponly 标志的情况下创建的 Cookie XSRF-TOKEN - Laravel 5.8 - Cookie XSRF-TOKEN created without the httponly flag - Laravel 5.8 PHP-检查cookie是否设置了安全标志 - PHP - Check if cookie was set with secure flag PHP cookie忽略安全标志 - php cookie ignoring secure flag 在没有安全标志的情况下创建的 Cookie XSRF-TOKEN - Laravel 5.8 - Cookie XSRF-TOKEN created without the secure flag - Laravel 5.8 在 Laravel 中为 CSRF 令牌设置 httpOnly 标志 - Set httpOnly flag for CSRF token in Laravel Wordpress 如何向所有 SETCOOKIE() 添加 httponly 和安全标志 function? - Wordpress how to add httponly and secure flag to all SETCOOKIE() function? 在 PHP 中的 PHPSESSID cookie 上设置 httpOnly 和安全 - Set httpOnly and secure on PHPSESSID cookie in PHP 从SSL Cookie中丢失安全标记(http-cookie-secure-flag) - Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM