安全的 Google 跟踪 cookie [英] Secure Google tracking cookies

问题描述

我在网站的某些页面上使用了 Google Analytics.我的整个网站都使用 SSL.是否可以保护 Goole Analytics __umt* 的 cookie.

I use Google Analytics on some pages of my website. My entire site uses SSL. Is it possible to secure the cookies of Goole Analytics __umt*.

至少我想在它们上启用安全标志.充其量我也想在它们上设置 HTTP only 标志，但我不认为后者是可能的(因为谷歌使用 JS 来使用我认为的 cookie).

At least I would like to enable the secure flag on them. At best I would also like to set the HTTP only flag on them, but I don't think the latter is possible (because Google uses JS to use the cookies I think).

可以这样做吗?如果是，如何设置?

Is it possible to do this? And if so how to set it up?

推荐答案

只要修改 GA 脚本并存储您自己的本地副本，不，您将无法设置安全或 HttpOnly 标志.我想 Google 已经对此做出了有意识的设计决定，并且可以肯定的是，能够在安全和不安全方案中跟踪同一用户会带来优势.

Short of modifying the GA script and storing your own local copy, no, you're not going to be able to set secure or HttpOnly flags. I imagine Google has made a conscious design decision about this and certainty there can be advantages from being able to track the same user across both secure and insecure schemes.

你必须问问自己你想通过这个实现什么；如果中间人由于缺乏安全标志而可以拦截和读取或操纵 cookie，那么潜在的漏洞是什么?与 HttpOnly 标志相同；如果攻击者可以通过 XSS 漏洞获取此 cookie，对攻击者有什么好处?

You've got to ask yourself what you're trying to achieve with this though; what's the potential exploit if a man in the middle can intercept and read or manipulate the cookie due to lack of the secure flag? Same again with the HttpOnly flag; what's the upside for the attacker if they can retrieve this cookie via an XSS exploit?

我之前看到过来自自动安全扫描器的此类反馈，它们只是由缺少的标志触发，而没有了解 cookie 实际用途的上下文.这将是我第一次猜测为什么会出现这样的问题.

I've seen this sort of feedback from automated security scanners before that are simply triggered by the missing flags without having the context of what the cookies are actually being used for. That would be my first guess at why a question like this would even come up.

这篇关于安全的 Google 跟踪 cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！