使用HttpOnly Cookie登出 [英] Logout with HttpOnly cookie

问题描述

我可以看到 HttpOnly Cookie是有利于安全性，但是他们在不需要服务器交互的情况下注销，对不对？ ¹ 因此，当网络出现故障时，您无法注销并离开。我可以想象一个解决方法，但我想首先问。

• 处理这种情况是有意义的
$ b sup>

解决方案

如果通过注销意味着删除会话cookie，那么不能，不能从Javascript中删除HttpOnly Cookie。但是，很容易设置两个 Cookie，一个HttpOnly和一个不安全，这样只有两个的组合是有效的会话密钥。





如果您的服务是敏感的，处理所有现实的威胁情况是有意义的，而且这是非常现实的。





设置两个Cookie，其中之一是HttpOnly，在标准CSRF预防技术中实际上很常见。我没有看到它在你的具体情况，但它非常类似于反CSRF案件，看起来像一个明显和容易应用的一般双cookie的想法。




I can see that HttpOnly cookies are good for security, however they make logging out without server interaction impossible, right?¹ So when the network fails, you can't log out and leave. I can imagine a workaround, but I'd like to ask first

• does it make sense to handle this case
• are there any standard solutions for this?

^{1 Assuming you're actually using them.}

解决方案

If by logging out you mean removing the session cookie, then no, you cannot remove HttpOnly cookies from Javascript. It is, however, easy to set up two cookies, one HttpOnly and one insecure, such that only a combination of the two is a valid session key. Removing either cookie would destroy the session.

If your service is sensitive, it does make sense to handle all realistic threat scenarios, and this one is pretty realistic.

Setting up two cookies, one of which is HttpOnly, is actually common in the standard CSRF prevention technique. I have not seen it in your specific scenario but it very similar to the anti-CSRF case, and looks like an obvious and easy application of the general twoo-cookies idea.

这篇关于使用HttpOnly Cookie登出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！