会话Cookie http&安全标志-如何设置这些标志? [英] Session cookies http & secure flag - how do you set these?
问题描述
刚刚收到了安全审核的结果-除了两件事之外,一切都清晰可见
Just received the results of a security audit - everything clear apart from two things
没有http标志的会话cookie.
Session cookie without http flag.
未设置安全标志的会话cookie.
Session cookie without secure flag set.
该应用程序是用php编码的,修复建议为:
The application is coded in php and the suggestions to fix are:
- 使用仅http标志设置会话cookie
- 使用安全标志设置会话cookie
我看了一些示例,但并不完全了解如何在Linux服务器上实现.我无权访问 .ini 文件.是否可以在htaccess文件中进行设置?
I have looked at examples but don't fully understand how to implement on a Linux server. I don't have access to the .ini file . Is it possible to set these in the htaccess file?
或者,如何在代码中以及在哪里实现?
Alternatively, how and where do I implement in the code?
推荐答案
Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
请注意,会话Cookie只会在此之后发送 https 请求.如果您在非安全的http页面中丢失了会话,可能会感到惊讶(但正如注释中指出的那样,实际上首先是配置的重点...).
Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).
这篇关于会话Cookie http&安全标志-如何设置这些标志?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!