安全的Google跟踪Cookie [英] Secure Google tracking cookies

问题描述

我在网站的某些页面上使用Google Analytics(分析).我的整个网站都使用SSL.是否可以保护Goole Analytics __ umt * 的cookie.

I use Google Analytics on some pages of my website. My entire site uses SSL. Is it possible to secure the cookies of Goole Analytics __umt*.

至少我想在它们上启用安全标志.充其量我也想在它们上设置仅HTTP标志，但是我认为后者是不可能的(因为Google使用JS来使用我认为的cookie).

At least I would like to enable the secure flag on them. At best I would also like to set the HTTP only flag on them, but I don't think the latter is possible (because Google uses JS to use the cookies I think).

是否可以这样做?如果可以的话，如何设置呢?

Is it possible to do this? And if so how to set it up?

推荐答案

修改GA脚本并存储您自己的本地副本的时间很短，不，您将无法设置安全或HttpOnly标志.我想Google对此做出了明智的设计决定，可以肯定的是，能够跨安全和不安全方案跟踪同一用户可能会有好处.

Short of modifying the GA script and storing your own local copy, no, you're not going to be able to set secure or HttpOnly flags. I imagine Google has made a conscious design decision about this and certainty there can be advantages from being able to track the same user across both secure and insecure schemes.

尽管如此，您必须问自己要努力实现的目标；如果中间一个人由于缺乏安全标志而可以拦截和读取或操纵cookie，那么潜在的利用潜力是什么?再次与HttpOnly标志相同；如果攻击者可以通过XSS漏洞检索此cookie，那有什么好处?

You've got to ask yourself what you're trying to achieve with this though; what's the potential exploit if a man in the middle can intercept and read or manipulate the cookie due to lack of the secure flag? Same again with the HttpOnly flag; what's the upside for the attacker if they can retrieve this cookie via an XSS exploit?

我之前已经看到过来自自动化安全扫描程序的这种反馈，这些反馈只是由丢失的标志触发的，而没有Cookie实际用途的上下文.那是我对为什么这样的问题甚至会出现的第一个猜测.

I've seen this sort of feedback from automated security scanners before that are simply triggered by the missing flags without having the context of what the cookies are actually being used for. That would be my first guess at why a question like this would even come up.

这篇关于安全的Google跟踪Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！