为什么 document.cookie 不显示站点的所有 cookie? [英] Why doesn't document.cookie show all the cookie for the site?

问题描述

我去了一个使用 vBulletin 3.8 的论坛.当我登录时，我使用 firebug 来查看设置了哪些 cookie.我看到了这些 cookie:

I go to a forum which uses vBulletin 3.8. When I log in, I use firebug to see what cookies were set. I see these cookies:

__utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit

__utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit

它们都有一个值集，域是相同的.

They all had a value set, and the domain was identical.

但是当我使用 JavaScript 查看它们时，它只看到了这些 cookie:

But when I use JavaScript to view them, it only saw these cookies:

__utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit

__utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit

在firebug中，我只看到这三个cookie:bbsessionhash、bbpasword和bbuserid，它们实际上是设置的.HTTPOnly 列中的 HTTPOnly.这是什么意思，是什么原因导致我无法使用 document.cookie 在 JavaScript 中看到这些 cookie?

In firebug, I only see these three cookies: bbsessionhash, bbpasword and bbuserid, that were actually set. HTTPOnly in column HTTPOnly. What does it mean and is that the reason I can't see those cookies in JavaScript using document.cookie?

推荐答案

来自 http://en.wikipedia.org/wiki/HTTP_cookie:

Cookies 不是直接可见的客户端程序，例如JavaScript，如果它们已发送HttpOnly 标志.从点服务器的视图，唯一的与正常的区别情况是 set-cookie 标头行添加了一个新字段，其中包含字符串`HttpOnly':

Cookies are not directly visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':

Set-Cookie:RMID=732423sdfs73242；到期=周五，2010 年 12 月 31 日 23:59:59 GMT；路径=/；域=.example.net;HttpOnly

当浏览器收到这样的cookie，它应该用作通常在以下 HTTP 交换中，但不让它可见客户端脚本.HttpOnly 标志不是任何标准的一部分，也不是在所有浏览器中都实现.

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts. The HttpOnly flag is not part of any standard, and is not implemented in all browsers.

2017 年更新: 自 2009 年以来已经过去了很多时间，HttpOnly 标头标志成为标准，定义在 RFC6265 的第 5.2.6 节，在同一文档中描述了存储语义(查找 "http-only-flag"贯穿整个 RFC 文本).

Update from 2017: a lot of time had passed since 2009, and HttpOnly header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for "http-only-flag" throughout the RFC text).

没有没有方法可以从非 HTTP"访问任何关于 HttpOnly cookie 的信息.API，例如JavaScript.根据设计，无法读取或写入此类 cookie.

There is no way to access anything about the HttpOnly cookies from "non-HTTP" APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.

这篇关于为什么 document.cookie 不显示站点的所有 cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！