[英]Cookie without Secure flag and HttpOnly flag set
Recently a scan was run on one of our applications and it returned the following 1 security threats: 最近在我们的一个应用程序上运行了扫描,它返回了以下1个安全威胁:
1.Cookies NotMarked As Secure::Cookie without Secure flag set 1.Cookies NotMarked As Secure :: Cookie没有安全标志设置
2.Cookie without HttpOnly flag set::Cookiewithout HttpOnly flag set 2.Cookie没有HttpOnly标志设置:: Cookiewithout HttpOnly标志设置
$this->cache_ptr = new CACHE($_COOKIE["sess"], 0, 0);
CACHE is an user built library that uses Sessions etc. CACHE是一个使用Sessions等的用户构建的库。
I am not sure about the right syntax to mark the cookie secure and set the cookie with HttpOnly flag. 我不确定用于标记cookie安全的正确语法并使用HttpOnly标志设置cookie。 Also, this is a legacy application running in php 4. Can someone please help me with this or point me to a resource?
此外,这是在PHP 4中运行的遗留应用程序。有人可以帮我这个或指向我的资源?
EDIT: I implemented Sven's recommendation. 编辑:我实施了斯文的推荐。 Is there a way I can test the secure functionality?
有没有办法测试安全功能?
Also,Since I am using php4(which will have to be updated eventaully) I cannot use httponly in the setcookie function. 此外,由于我使用php4(必须事先更新)我不能在setcookie函数中使用httponly。 So does that mean,I need to add the following line before setcookie function?
这是否意味着,我需要在setcookie函数之前添加以下行?
header("Set-Cookie: hidden=value; httpOnly");
will it intefere with my setcookie function? 它会干扰我的setcookie功能吗?
The code you are showing does not set the cookie. 您显示的代码不会设置cookie。 It might trigger setting a cookie, but essentially you must look at the
CACHE
class and see what's going on there. 它可能会触发设置cookie,但基本上你必须查看
CACHE
类并看看那里发生了什么。
You are looking for function calls of setcookie()
, and if not found, for header('Set-Cookie...')
. 您正在寻找
setcookie()
函数调用,如果没有找到,则查找header('Set-Cookie...')
。
You'll have to change setcookie() to include all the default values for the optional parameters, until at the end you set the last two to true for secure and httponly. 您必须更改setcookie()以包含可选参数的所有默认值,直到最后为secure和httponly设置最后两个为true。
Have a look at the manual: http://de1.php.net/setcookie 看一下手册: http : //de1.php.net/setcookie
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.