通过 Javascript 将 cookie 设置为 HttpOnly [英] Set a cookie to HttpOnly via Javascript

问题描述

我有一个不是 HttpOnly 的 cookie，我可以通过 JavaScript 将此 cookie 设置为 HttpOnly 吗?

I have a cookie that is NOT HttpOnly Can I set this cookie to HttpOnly via JavaScript?

推荐答案

HttpOnly cookie 意味着它不可用于 JavaScript 等脚本语言.因此，在 JavaScript 中，绝对没有 API 可用于获取/设置 cookie 的 HttpOnly 属性，否则会破坏 HttpOnly 的含义.

An HttpOnly cookie means that it's not available to scripting languages like JavaScript. So in JavaScript, there's absolutely no API available to get/set the HttpOnly attribute of the cookie, as that would otherwise defeat the meaning of HttpOnly.

只需使用服务器端使用的任何服务器端语言在服务器端设置它.如果为此绝对需要 JavaScript，您可以考虑让它发送一些(ajax)请求，例如一些特定的请求参数触发服务器端语言创建一个 HttpOnly cookie.但是，这仍然会让黑客很容易通过 XSS 更改 HttpOnly 并且仍然可以通过 JS 访问 cookie，从而使您的 cookie 上的 HttpOnly 完全无用.

Just set it as such on the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary for this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create an HttpOnly cookie. But, that would still make it easy for hackers to change the HttpOnly by just XSS and still have access to the cookie via JS and thus make the HttpOnly on your cookie completely useless.

这篇关于通过 Javascript 将 cookie 设置为 HttpOnly的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！