通过安全连接发出非安全 cookie 会导致伪安全 cookie
当 Firefox 通过 HTTPS 连接接收 cookie 时,它似乎将其视为安全 cookie,即使服务器没有将其作为安全 cookie 发送。
当我在 Firefox 中检查 cookie 时,它显示“发送:仅加密连接”。当 Firefox 在后续安全请求中将 cookie 发送到服务器时,在 Java 中检查 cookie (Cookie.getSecure()) 表明发送的 cookie 不安全。 Firefox 拒绝通过非安全连接发送此类 cookie。
Konqueror 表现出相同的行为。
我想确保客户端将通过 HTTP 请求发送 cookie,或者知道标记为非安全的特定任意 cookie 永远不会作为非安全请求的一部分发送。有什么办法可以做到这一点吗?
When Firefox receives a cookie via an HTTPS connection, it appears to treat it as a secure cookie, even though the server did not send it as a secure cookie.
When I inspect the cookie from within Firefox, it displays "Send For: Encrypted connections only". When Firefox sends the cookie to the server in subsequent secure requests, inspection of the cookie in Java (Cookie.getSecure()) indicates that the sent cookie is not secure. Firefox refuses to send such cookies over non-secure connections.
Konqueror exhibits the same behavior.
I'd like either to ensure that the client will send the cookie over an HTTP request or know that a particular, arbitrary cookie flagged as non-secure will never be sent as part of a non-secure request. Is there any way to do this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Firefox 在通过 https 接收时不会自动将 cookie 提升为安全,也不会通过 https 发送非安全 cookie: (设置 cookie)
请参阅第 1950 行发送 cookie。
如果您查看 https 响应中的 http 标头,Set-Cookie 标头中是否有“安全”标志?
如果您不指定“secure”标志,则 cookie 将通过 http 和 https 发送。无法将非安全 cookie 作为非安全请求的一部分发送。 (你还有别的意思吗?)
Firefox won't automatically promote cookies to secure when received over https, nor will it not send non-secure cookies over https: (setting the cookie)
See line# 1950 for sending the cookie.
If you look at the http header in the https response, is there a 'secure' flag in the Set-Cookie header?
If you don't specify the 'secure' flag, the cookie will be sent over both http and https. There's no way to make a non-secure cookie be sent as part of a non-secure request. (Did you mean something else?)