https安全cookie是否可以防止XSS攻击? [英] Does https secure cookies prevent XSS attacks?

问题描述

https连接是否可以保护cookie并防止XSS攻击.我有一个简单的博客，允许用户输入JavaScript代码作为输入.我想允许用户输入Javascript，同时仍然防止XSS攻击和cookie窃取.https是否有助于保护cookie.我只发现很少网站谈论此问题，但仍不清楚.

Does https connection secure cookies and prevents XSS attacks. I have a simple blog that allows users to enter JavaScript code as an input. I want to allow Javascript input by the user while still preventing XSS attacks and cookie stealing. Does https help secure cookies. I only found few sites that talks about this and still a bit unclear.

推荐答案

HTTPS可以阻止中间人攻击，而不是XSS.不幸的是，单独使用会话cookie并不安全，可以使用HTTP请求一个页面，然后相同的cookie将不受保护地发送.

HTTPS can prevent a man-in-the-middle attack, not XSS. Unfortunately the session cookie is not secure with this alone, one can request a page with HTTP and then the same cookie will be sent unprotected.

要确保仅在HTTPS连接上发送会话cookie，可以在开始会话之前使用函数session_set_cookie_params():

To ensure that the session cookie is sent only on HTTPS connections, you can use the function session_set_cookie_params() before starting the session:

session_set_cookie_params(0, '/', '', true, true);
session_start();

请注意第一个 true ，这意味着该cookie仅发送到HTTPS页面.第二个 true 告诉浏览器，JavaScript一定不能访问会话cookie，这取决于浏览器是否正确完成.

Note the first true, it means that the cookie will be sent only to HTTPS pages. The second true tells the browser, that JavaScript must not access the session cookie, it depends on the browser if that is done correctly.

另一种使您的网站更安全的好方法是，仅使用会话cookie来维护会话，并使用第二个cookie来进行身份验证.如果您有兴趣，我可以举个例子.

Another good way to make your site safer is, to use the session cookie only for maintaining the session, and using a second cookie to take care of the authentication. I can provide an example if you are interested.

这篇关于https安全cookie是否可以防止XSS攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！