使用Javascript生成的cookie(服务器未发送标头)是否可以被攻击者窃取/使用? [英] Can a cookie that was generated with Javascript (not send in the header by the server) be stolen / used by an attacker?

问题描述

我使用Javascript保存cookie，然后使用Javascript从cookie中获取值.
我通过ajax标头中的https传达cookie的内容.
我不会使用服务器的会话.

I save the cookie with Javascript, and I get the values from the cookie with Javascript.
I communicate the content of the cookie over https in the ajax header.
I will not use the server's session.

攻击者是否可以通过任何方式获取Cookie的内容?

Is there any way the attacker can get to the content of the cookie?

推荐答案

我认为您担心中间人.如果您不将HTTPS与浏览器cookie一起使用，并且/或者您混合使用不安全的HTTP请求之一与cookie一起发送的混合媒体，则可能会发生这种情况.确保使用HTTPS对其进行了加密，然后确保它相当安全(但并非没有足够的计算能力就可以破解)

I think you're worried about Man in the Middle. This could happen if you aren't using HTTPS with your browser cookie and/or you have mixed media where one of the insecure HTTP requests is sent with the cookie. Make sure it's encrypted using HTTPS, and then it's pretty secure (but not impossible to break w/ enough computational power)

这篇关于使用Javascript生成的cookie(服务器未发送标头)是否可以被攻击者窃取/使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！