SSL 是否也加密 cookie? [英] Does SSL also encrypt cookies?

问题描述

对 SO 的评论并没有明确回答这个问题.这可能是暗示的，但我想把它记录在案.

A review of SO doesn't categorically answer this question. It could be implied, but I would like to get it on the record specifically.

如果 SSL 处于活动状态，它将加密 HTTP 标头数据，例如set-cookie"?我知道setSecure"仅在 HTTPS 处于活动状态时传输 cookie，但如果 SSL 处于活动状态，我想确认所有标头数据是否默认加密而无需使用setSecure".

If SSL is active, it will encrypt HTTP header data, like "set-cookie" ? I know about "setSecure" to only transmit cookie's if HTTPS is active, but if SSL is active I would like to confirm if all header data is encrypted by default without the need to use "setSecure".

推荐答案

通过 SSL (HTTPS) 发送的数据完全加密，包括标头(因此是 cookie)，只有您发送请求的主机未加密.这也意味着 GET 请求是加密的(URL 的其余部分).

Data sent over SSL (HTTPS) is fully encrypted, headers included (hence cookies), only the Host you are sending the request to is not encrypted. It also means that the GET request is encrypted (the rest of the URL).

虽然攻击者可以强制客户端通过 HTTP 响应，但强烈建议在 cookie 中使用安全"标志，强制使用 HTTPS 发送 cookie.

Although an attacker could force a client to respond over HTTP, so it is highly recommended to use the "Secure" flag in your cookie, which enforce the use of HTTPS to send cookies.

此外，使用标志 HTTPOnly 将大大增强您网站的安全性，因为它不允许使用 Javascript 代码读取 Cookie(缓解潜在的 XSS 漏洞).

Also, using the flag HTTPOnly would greatly enhance the security of your site since it does not allow Cookies to be read with Javascript code (Mitigating potential XSS vulnerabilities).

这篇关于SSL 是否也加密 cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！