堆栈内存溢出
  繁体   English   中英

如何使JavaScript Cookie安全。 我已经尝试过使用正则表达式来保护url和cookie值,但是没有人在工作

[英]How to make javascript cookie secure. I have tried the regex for securing the url and cookie value but no one is working

 原文  2018-07-12 07:27:50       javascript

问题描述

这是我的cookie代码。 

var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000));   // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ window.location.href + ";" + expires;

尝试此验证 

var campaignId ="someCookieValue";  
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000));   // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var value = new RegExp(/^[a-zA-Z0-9\-_\.:]*$/);
if(value.test(campaignId))
    document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
var expression =/[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var pattern = new RegExp(expression);
var cookieValue = window.location.href;
if(cookieValue){
    if(value.test(cookieValue)) {
        cookieValue = encodeURIComponent(cookieValue);
        document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
    }
}

我在对document.cookie进行强化扫描时遇到问题,例如main.js lambda()方法在第486行的HTTP cookie中包含未验证的数据。这会启用Cookie操纵攻击,并可能导致其他HTTP Response标头操纵攻击,例如: cache-poisoningcross-site scriptingcross-user defacementpage hijackingopen redirect

1 个解决方案

解决方案1
 0  2018-07-12 12:07:10

找到了解决方案。 我通过外部cryptoJs对cookie值进行了加密,并解决了扫描问题。 

var campaignId ="someCookieValue";
    var mySecret ="mysecret";
    var d = new Date();
            d.setTime(d.getTime() + (365*24*60*60*1000));   // SET COOKIE EXPIRY TO 365 days.
            var expires = "expires="+ d.toUTCString();
            var mySecret ="mysecret";
            var cookieValue = window.location.href;
            //Here I added encryption
            campaignId = CryptoJS.AES.encrypt(campaignId, mySecret);
            cookieValue = CryptoJS.AES.encrypt(cookieValue, mySecret); //end
            document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
            document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我只能使Cookie在JavaScript中具有一个值 如何使用JavaScript中的XMLHttpRequest更改“ Cookie”(在标头字段中)中一个cookie的值? JavaScript我如何制作Cookie / + 1动画 PHP Cookie安全的JavaScript 如何使用 javascript 设置 cookie 安全标志 如何编辑安全 cookie? 如何基于读取的cookie值使超链接指向不同的URL? 如何使动态值不是 cookie 如何将JavaScript值传递给Cookie 如何使用JavaScript读取Cookie值?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM