[英]How to make javascript cookie secure. I have tried the regex for securing the url and cookie value but no one is working
这是我的cookie代码。
var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ window.location.href + ";" + expires;
尝试此验证
var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var value = new RegExp(/^[a-zA-Z0-9\-_\.:]*$/);
if(value.test(campaignId))
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
var expression =/[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var pattern = new RegExp(expression);
var cookieValue = window.location.href;
if(cookieValue){
if(value.test(cookieValue)) {
cookieValue = encodeURIComponent(cookieValue);
document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
}
}
我在对document.cookie
进行强化扫描时遇到问题,例如main.js
lambda()
方法在第486行的HTTP cookie中包含未验证的数据。这会启用Cookie操纵攻击,并可能导致其他HTTP Response标头操纵攻击,例如: cache-poisoning
, cross-site scripting
, cross-user defacement
, page hijacking
或open redirect
。
找到了解决方案。 我通过外部cryptoJs对cookie值进行了加密,并解决了扫描问题。
var campaignId ="someCookieValue";
var mySecret ="mysecret";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var mySecret ="mysecret";
var cookieValue = window.location.href;
//Here I added encryption
campaignId = CryptoJS.AES.encrypt(campaignId, mySecret);
cookieValue = CryptoJS.AES.encrypt(cookieValue, mySecret); //end
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.