如何使用javascript设置cookie的HttpOnly标志? [英] How do I set the HttpOnly flag of a cookie with javascript?
问题描述
我尝试创建一个cookie,并启用HttpOnly标志。
虽然似乎有大量的资源关于如何在Java和.Net,我需要在javascript中做。
这是我的(目前失败的)函数
createCookie = function(name,value,days){
if(days){
var date = new Date();
date.setTime(date.getTime()+(days * 24 * 60 * 60 * 1000));
var expires =; expires =+ date.toGMTString();
}
else var expires =;
document.cookie = name +=+ value + expires +; domain = my.domain.com; path = /; HttpOnly;;
感谢 -
您无法在JavaScript中访问HttpOnly Cookie。
以下报价单是从维基百科素材:
HttpOnly Cookie由大多数新型浏览器支持。在受支持的浏览器上,HttpOnly会话Cookie仅在发送HTTP(或HTTPS)请求时使用,因此限制来自其他非HTTP API(例如JavaScript)的访问。
换句话说,HttpOnly Cookie只能在服务器端使用。
我在PHP中写了一个例子:
<?php
$ name ='foo';
$ value ='bar';
$ expirationTime = 0; //会话cookie。
$ path ='/';
$ domain ='localhost';
$ isSecure = false;
$ isHttpOnly = false;
setcookie($ name,$ value,$ expirationTime,$ path,$ domain,$ isSecure,$ isHttpOnly);
?>
< script>
alert(document.cookie);
< / script>
它警告 foo = bar
p>
删除cookie,将 $ isHttpOnly
更改为 true
,重新加载网页,您会看到一个空白的快讯。但是同时浏览器存储cookie以在向服务器请求期间发送它。
I'm trying to create a cookie, with the HttpOnly flag enabled.
While there seems to be a plethora of resources about how to do it in Java and .Net, I need to do it in javascript.
Here is my (currently failing) function
createCookie = function(name,value,days) {
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; domain=my.domain.com; path=/; HttpOnly;";
Thanks -
You cannot access an HttpOnly cookie in JavaScript.
The following quotation is borrowed from the Wikipedia material:
The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript).
In other words, HttpOnly cookies are made to be used only on the server side.
I wrote an example in PHP:
<?php
$name = 'foo';
$value = 'bar';
$expirationTime = 0; // Session cookie.
$path = '/';
$domain = 'localhost';
$isSecure = false;
$isHttpOnly = false;
setcookie($name, $value, $expirationTime, $path, $domain, $isSecure, $isHttpOnly);
?>
<script>
alert(document.cookie);
</script>
It alerts foo=bar
.
Remove the cookie, change $isHttpOnly
to true
, reload the page, and you'll see an empty alert. But at the same time the browser stores the cookie to send it during a request to the server.
这篇关于如何使用javascript设置cookie的HttpOnly标志?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!