About Cookie Security Settings

I. Title: Cookie Security Settings

Secondary labels: httponly attribute and secure attribute Parsing

 

II. Introduction

We often see cross-site scripting (XSS) attacks that steal cookies. The solution is httponly. Write it out today...

2.1 prerequisites. If you know cookie for the first time, read this article first:

Jsfor cookies.zip and google cookie.

 

 

Iii. Cookie attributes

Cookie content ,:

 

HTTP response header:

Set-Cookie: <name >=< value> [; <Max-Age >=< age>] [; expires = <date>] [; domain = <domain_name>] = [; path = <some_path>] [; secure] [; HttpOnly]

1 2 3 4 5 6 7

Common Cookie attributes

A Cookie contains the following information:

1)Cookie nameThe Cookie name must be a string of only characters in the URL. It generally uses letters and numbers and cannot contain special characters. If you want to transcode a Cookie. For example, you can use escape () to transcode the name when js operates the cookie.

2)Cookie ValueThe Cookie value is the same as the Cookie name, which can be transcoded and encrypted.

3) Expires, Expiration date, a time in GMT format. After the date expires, the browser will delete the Cookie. When this date is not set, the Cookie disappears after the browser is closed.

4)Path, A path. The Cookie can be accessed only on the page under this path. Generally, it is set to "/" to indicate that all pages of the same site can access this Cookie.

5)Domain, Subdomain, which specifies that the Cookie can be accessed under this subdomain. For example, to make the Cookie accessible under a.test.com but not under B .test.com, you can set domain to a.test.com.

6)SecureSecurity: Specifies whether the Cookie can be accessed only through the https protocol. Generally, the Cookie can be accessed through the HTTP protocol. If Secure (no value) is set ), the cookie is accessible only when the https protocol is used for connection.

7)HttpOnlyIf the "HttpOnly" attribute is set in the Cookie, the Cookie information cannot be read through the Program (JS script, Applet, etc.

NOTE: For the setcookie syntax on w3shool, 7 httponly is not displayed. The supported versions are incorrect.

 

4. Understand httponly attributes

4.1 HTTPONLY

To solve XSS (Cross-Site Scripting) attacks, IE6 began to support the HttpOnly attribute of cookies, which is currently supported by most browsers (IE, FF, Chrome, and Safari. When the HttpOnly attribute in the cookie is set to true (the last 7th bits), the front-end script will not be able to access or operate the cookie (only accessible through the background), so that the XSS will become invalid.HttpOnly session cookies support browsers that are only used to send HTTP (or HTTPS) requests, thus limiting access from other non-HTTP APIs (such as JavaScript.This restriction is mitigated, but the risk of cross-site scripting (XSS) cookie Theft in meetings has not been eliminated. This function is only applicable to session management cookies, rather than cookies of other browsers. ----------------- I haven't understood it yet. It doesn't matter. Continue to look down.

 

4.2 httponly effect demonstration

Let's take a look at the demo:

1. php

<? Php setcookie ("abc", "test", NULL, TRUE);?> <Script> alert (document. cookie); </script>

We can see that this box has no content.

2. php

 

<? Php setcookie ("abc", "test");?> <Script> alert (document. cookie); </script>

Through comparison, we can see that JS cannot obtain COOKIES on HTTPONLY pages, but does not have HTTPONLY pages. JS can easily obtain COOKIES without any pressure.

 

Easy to understand: prevents client scripts from accessing cookies

 

HTTPONLY has been encountered on Sina Weibo XSS. Even if you get the user's COOKIES through XSS, you cannot access the user's page through the COOKIES. Therefore, HTTPONLY settings are essential for every website!

 

4.3.HttpOnly setting example (feasibility not tested)

 

JavaE

12	response.setHeader("Set-Cookie", "cookiename=value; Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");

The meaning of the specific parameter is not elaborated again. After the setting is complete, the cookie cannot be read through the js script, but the following method can be used to read

1	Cookie cookies[]=request.getCookies();

C #

123	HttpCookie myCookie = new HttpCookie("myCookie");   myCookie.HttpOnly = true;  Response.AppendCookie(myCookie);

VB. NET

123	Dim myCookie As HttpCookie = new HttpCookie("myCookie")  myCookie.HttpOnly = True  Response.AppendCookie(myCookie)

 

However, in. NET 1.1, you must manually add

1	Response.Cookies[cookie].Path += ";HTTPOnly";

Servlet3

You only need to add the following fragments in web. xml:

123456

<session-config>   <cookie-config>     true    <secure>true</secure>   </cookie-config> </session-config>

 

In PHP, cookie HttpOnly can be set in two ways.

1234	Method 1:header("Set-Cookie:tmp=100;HttpOnly"); Method 2:setcookie("tmp", 100, NULL, NULL, NULL, NULL, TRUE);

 

PHP4

1	header("Set-Cookie: hidden=value; httpOnly");

 

PHP5

1	setcookie("abc", "test", NULL, TRUE); the last parameter is the HttpOnly attribute.

 

5. Deep Mining

Q: Why does the threat of httponly-cookie Theft not be completely eliminated?

A: Because httponly only restricts access from other non-HTTP APIs (such as JavaScript), it is still possible that the cookie is leaked after being captured by the listener.

I checked msdn, which said above:

Setting the HttpOnly attribute to true does not prevent attackers who have access permissions to the network channel from directly accessing the Cookie. In this case, you should consider using Secure Sockets Layer (SSL) for help. Workstation security is also important because malicious users may use open browser windows or computers containing persistent cookies to obtain access to the website with valid user IDs.

Setcookie ("tmp", 100, NULL, TRUE, TRUE); [https]

6 7

Summary:

Increase cookie security by adding HttpOnly and secure attributes

(1) HttpOnly attributes

If the "HttpOnly" attribute is set in the Cookie, the Cookie information cannot be read through the Program (JS script, Applet, etc.), which effectively prevents XSS attacks.

(2) secure attributes

When it is set to true, it indicates that the created Cookie will be transmitted to the server in a safe form, that is, it can only be passed to the server by the browser in the HTTPS connection for session verification, if it is an HTTP connection, this information will not be transmitted, so the specific content of the Cookie will not be stolen.

For the preceding two attributes,

The secure attribute prevents information leakage after being captured by the listener during the transfer process. 6 digits true

The HttpOnly attribute aims to prevent attacks after the program obtains the cookie. Number 7: true

Note: to reduce the damage caused by XSS cross-site scripting attacks, HTTP-only cookies and other technologies are usually used in combination. If it is used independently, it cannot fully defend against cross-site scripting attacks. You can use a dedicated tool (fiddler2, burp) to test security. For XSS_cookie cross-site scripting attack examples, see my other articles.

 

6. resource links

1. AVA year Security Week 4 SESSION COOKIE HTTPONLY ID

2. http://msdn.microsoft.com/zh-cn/library/system.web.httpcookie.httponly.aspx

3. https://www.owasp.org/index.php/HTTPOnly

4. http://www.w3school.com.cn/php/func_http_setcookie.asp

5. Functions of Cookie security, HttpOnly introduction, and XSS attack prevention

6. http://www.myexception.cn/mobile/824869.html

What's wrong with my personal opinions. Luolired