See: http://blog.yemou.net/article/query/info/tytfjhfascvhzxcyt377
1. What is HttpOnly?
If you set the HttpOnly attribute in the cookie, then the JS script will not be able to read the cookie information, so as to effectively prevent XSS attacks, the specific introduction of Google to do a search
Does the 2.javaEE API support?
At present, Sun has not released the relevant API, but PHP, C # are implemented. Java EE brothers are more depressed, do not worry about the following flexible implementation
Sample setup for 3.HttpOnly
Java EE
12 |
response.setHeader( "Set-Cookie" , "cookiename=value; Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly"); |
The meaning of the specific parameter is not elaborated again, after the set up through the JS script is not read the cookie, but use the following way can read
1 |
Cookie cookies[]=request.getCookies(); |
C#
123 |
HttpCookie myCookie = new HttpCookie( "myCookie" ); myCookie.HttpOnly = true ; Response.AppendCookie(myCookie); |
vb.net
123 |
Dim myCookie As HttpCookie = new HttpCookie( "myCookie" ) myCookie.HttpOnly = True Response.AppendCookie(myCookie) |
But in. NET 1.1, you need to manually add
1 |
Response.Cookies[cookie].Path += ";HTTPOnly" ; |
PHP4
1 |
header( "Set-Cookie: hidden=value; httpOnly" ); |
PHP5
1 |
setcookie( "abc" , "test" , NULL, NULL, NULL, NULL, TRUE); |
The last parameter is the HttpOnly property
HttpOnly in the cookie