会话Cookie http&安全标志-如何设置这些标志? [英] Session cookies http & secure flag - how do you set these?

问题描述

刚刚收到了安全审核的结果-除了两件事之外，一切都清晰可见

Just received the results of a security audit - everything clear apart from two things

没有http标志的会话cookie.

Session cookie without http flag.

未设置安全标志的会话cookie.

Session cookie without secure flag set.

该应用程序是用php编码的，修复建议为:

The application is coded in php and the suggestions to fix are:

1. 使用仅http标志设置会话cookie
2. 使用安全标志设置会话cookie

我看了一些示例，但并不完全了解如何在Linux服务器上实现.我无权访问 .ini 文件.是否可以在htaccess文件中进行设置?

I have looked at examples but don't fully understand how to implement on a Linux server. I don't have access to the .ini file . Is it possible to set these in the htaccess file?

或者，如何在代码中以及在哪里实现?

Alternatively, how and where do I implement in the code?

推荐答案

由于您要求输入.htaccess，因此此设置为

Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

请注意，会话Cookie只会在此之后发送 https 请求.如果您在非安全的http页面中丢失了会话，可能会感到惊讶(但正如注释中指出的那样，实际上首先是配置的重点...).

Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).

这篇关于会话Cookie http&安全标志-如何设置这些标志?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！