通过 HTTPS 读取使用 HTTP 设置的 cookie [英] Reading cookies via HTTPS that were set using HTTP

问题描述

使用 HTTP 设置的 cookie 可以使用 HTTPS 读取吗?

Can cookies set using HTTP be read using HTTPS?

推荐答案

使用Secure"关键字设置的 Cookie 只会在通过安全方式 (HTTPS) 连接时由浏览器发送.除此之外没有任何区别 - 如果安全"不存在，cookie 可能会通过不安全的连接发送.

Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "secure" is absent, the cookie may be sent over an insecure connection.

换句话说，您想要保护其内容的 cookie 应该使用 secure 关键字，并且您应该只在用户通过 HTTPS 连接时将它们从服务器发送到浏览器.

In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.

• HTTP:带有安全"的 Cookie 将仅在 HTTPS 连接上返回(毫无意义，请参阅下面的注释)
• HTTPS:带有安全"的 Cookie 将仅在 HTTPS 连接上返回
• HTTP:没有安全"的 Cookie 将在 HTTP 或 HTTPS 连接上返回
• HTTPS:没有安全"的 Cookie 将在 HTTP 或 HTTPS 连接上返回(可能泄漏安全信息)

• HTTP: Cookie with "Secure" will be returned only on HTTPS connections (pointless to do, see note below)
• HTTPS: Cookie with "Secure" will be returned only on HTTPS connections
• HTTP: Cookie without "Secure" will be returned on HTTP or HTTPS connections
• HTTPS: Cookie without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)

参考:RFC 2109见 4.2.2(第 4 页)、4.3.1

Reference: RFC 2109 See 4.2.2 (page 4), 4.3.1

注意:在 Firefox 和 Chrome 上实施 严格的安全 Cookie 规范.

Note: It is no longer possible to set "secure" cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.

这篇关于通过 HTTPS 读取使用 HTTP 设置的 cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！