Zend 框架、会话和 HttpOnly
我想让我的会话 cookie HttpOnly。基于本文,我将其添加到我的 application.ini 中:
resources.session.cookie_httponly = true
不幸的是,当我查看 Firecookie,它没有按照我的指定标记为HttpOnly。我缺少哪一步?
I want to make my session cookie HttpOnly. Based on this article, I added this to my application.ini:
resources.session.cookie_httponly = true
Unfortunately, when I look at the session cookie in Firecookie, it is not marked as HttpOnly as I have specified. What step am I missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
尝试在引导程序中执行
Zend_Session::setOptions(array('cookie_httponly' => true));(在会话首次初始化之前的某个位置),但它也应该与 app.ini 文件一起使用。Try at bootstrap to do
Zend_Session::setOptions(array('cookie_httponly' => true));( somewhere before the session is first initialized ) tough it should work with the app.ini file too .将其添加到您的 application.ini 文件中。
Add this to your application.ini file.
为了做到这一点 100% 安全。
服务器不应允许选项 http 跟踪。
http 选项跟踪报告会话 ID。
如果攻击者可以使用 ajax 注入 java applet、flash 或 javascript,那么即使设置了 httponly 标志,攻击者也可以窃取 cookie...
For this to be 100% safe.
The server should not allow the option http trace.
The http option trace reports the session id.
If a attacker can inject a java applet, flash or javascript with ajax the attacker can also steal cookies even with the httponly flag set...