[英]How to make javascript cookie secure. I have tried the regex for securing the url and cookie value but no one is working
這是我的cookie代碼。
var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ window.location.href + ";" + expires;
嘗試此驗證
var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var value = new RegExp(/^[a-zA-Z0-9\-_\.:]*$/);
if(value.test(campaignId))
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
var expression =/[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var pattern = new RegExp(expression);
var cookieValue = window.location.href;
if(cookieValue){
if(value.test(cookieValue)) {
cookieValue = encodeURIComponent(cookieValue);
document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
}
}
我在對document.cookie
進行強化掃描時遇到問題,例如main.js
lambda()
方法在第486行的HTTP cookie中包含未驗證的數據。這會啟用Cookie操縱攻擊,並可能導致其他HTTP Response標頭操縱攻擊,例如: cache-poisoning
, cross-site scripting
, cross-user defacement
, page hijacking
或open redirect
。
找到了解決方案。 我通過外部cryptoJs對cookie值進行了加密,並解決了掃描問題。
var campaignId ="someCookieValue";
var mySecret ="mysecret";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var mySecret ="mysecret";
var cookieValue = window.location.href;
//Here I added encryption
campaignId = CryptoJS.AES.encrypt(campaignId, mySecret);
cookieValue = CryptoJS.AES.encrypt(cookieValue, mySecret); //end
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.