The HttpOnly of CSRF's defense

The full name of the CSRF attack is cross-site request forgery, which is a malicious use of the Web site, although it sounds a bit similar to the XSS cross-site scripting attack, but in fact csrf is very different from XSS, which uses trusted users in the site, CSRF, however, exploits a trusted Web site by disguising a request from a trusted user. You can understand that. CSRF attack: An attacker who steals your identity and sends a malicious request to a third-party website on your behalf. CRSF can do things like use your identity to send e-mails, send text messages, make transaction transfers, and even steal your account.

C # code implementation, I would like to write one, but found that the almighty MSDN to avoid a ready-made decisive, MSDN on the wordy:

　　

This property helps mitigate cross-site scripting threats that can cause cookies to be stolen. A stolen cookie can contain sensitive information that identifies a site user, such as an ASP. NET session ID or Forms authentication ticket, where an attacker can replay a stolen cookie to disguise as a user or obtain sensitive information. If the HttpOnly Cookie is received by a compatible browser, client script cannot access it.
Warning description
Setting the HttpOnly property to True does not prevent an attacker who has access to a network channel from accessing the Cookie directly. For this scenario, you should consider using Secure Sockets Layer (SSL) to provide help. Workstation security is also important because a malicious user might use an open browser window or a computer that contains persistent cookies to gain access to a Web site with the identity of a legitimate user.

　　

<%@ Page language="C #"%><! DOCTYPE HTML Public"-//W3C//DTD XHTML 1.0 transitional//en"    "HTTP://WWW.W3.ORG/TR/XHTML1/DTD/XHTML1-TRANSITIONAL.DTD"><script runat="Server">voidPage_Load (Objectsender, EventArgs e) {        //Create a new HttpCookie.HttpCookie Myhttpcookie =NewHttpCookie ("lastvisit", DateTime.Now.ToString ()); //by default, the HttpOnly property was set to False//unless specified otherwise in configuration.Myhttpcookie.name="Myhttpcookie";        Response.appendcookie (Myhttpcookie); //Show The name of the cookie.Response.Write (Myhttpcookie.name); //Create an httponly cookie.HttpCookie Myhttponlycookie =NewHttpCookie ("lastvisit", DateTime.Now.ToString ()); //Setting the HttpOnly value to True, makes//This cookie is accessible only to ASP.myhttponlycookie.httponly=true; Myhttponlycookie.name="Myhttponlycookie";        Response.appendcookie (Myhttponlycookie); //Show The name of the HttpOnly cookie.Response.Write (Myhttponlycookie.name); }</script>"http://www.w3.org/1999/xhtml">"Server"> <title>asp.net example</title>"Text/javascript">function GetCookie (nameofcookie) {if(Document.cookie.length >0) {begin= Document.cookie.indexOf (nameofcookie+"="); if(Begin! =-1) {begin+ = nameofcookie.length+1; End= Document.cookie.indexOf (";", begin); if(End = =-1) End =document.cookie.length; returnunescape (document.cookie.substring (begin, end)); }   }return NULL; }</script><script type="Text/javascript">//This code returns the cookie name.Alert"Getting HTTP Cookie"); Alert (GetCookie ("Myhttpcookie")); //Because The cookie is set to HttpOnly,//This returns NULL.Alert"Getting HTTP only Cookie"); Alert (GetCookie ("Myhttponlycookie"));</script> </body>
Related information: http://msdn.microsoft.com/zh-cn/library/ms533046 (vs.85). aspx
http://msdn.microsoft.com/zh-cn/library/ms533046 (vs.85). aspx
http://kb.cnblogs.com/page/115136/
Image from Chen Kang << large distributed website Architecture design and Practice >>
The HttpOnly of CSRF's defense