SSL还会加密Cookie吗？ [英] Does SSL also encrypt cookies?

问题描述

对SO的审查并未明确回答这个问题。这可能是隐含的，但我想特别记录下来。

A review of SO doesn't categorically answer this question. It could be implied, but I would like to get it on the record specifically.

如果SSL处于活动状态，它将加密HTTP标头数据，如set-cookie ？我知道setSecure仅在HTTPS处于活动状态时传输cookie，但如果SSL处于活动状态，我想确认所有头数据是否默认加密而无需使用setSecure。

If SSL is active, it will encrypt HTTP header data, like "set-cookie" ? I know about "setSecure" to only transmit cookie's if HTTPS is active, but if SSL is active I would like to confirm if all header data is encrypted by default without the need to use "setSecure".

推荐答案

通过SSL（HTTPS）发送的数据是完全加密的，包括标头（因此是cookie），只有您发送请求的主机未加密。这也意味着GET请求已加密（URL的其余部分）。

Data sent over SSL (HTTPS) is fully encrypted, headers included (hence cookies), only the Host you are sending the request to is not encrypted. It also means that the GET request is encrypted (the rest of the URL).

虽然攻击者可以强制客户端通过HTTP进行响应，但强烈建议使用cookie中的安全标志，强制使用HTTPS发送cookie。

Although an attacker could force a client to respond over HTTP, so it is highly recommended to use the "Secure" flag in your cookie, which enforce the use of HTTPS to send cookies.

此外，使用HTTPOnly标志可以大大提高您网站的安全性。它不允许使用Javascript代码读取Cookie（减少潜在的XSS漏洞）。

Also, using the flag HTTPOnly would greatly enhance the security of your site since it does not allow Cookies to be read with Javascript code (Mitigating potential XSS vulnerabilities).

这篇关于SSL还会加密Cookie吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！