1. What is HttpOnly?
If you set the HttpOnly attribute in the cookie, the cookie information cannot be read through the js script, which effectively prevents XSS attacks. For more information, see google.
2. Does javaEE API support?
At present, sun has not released relevant APIs, but PHP and C # have all been implemented. The developers who are engaged in javaEE are quite depressed. Don't worry about the following changes.
3. HttpOnly setting example
JavaEE
1 response. setHeader ("Set-Cookie", "cookiename = value;
2 Path =/; Domain = domainvalue; Max-Age = seconds; HTTPOnly ");
The meaning of the specific parameter is not elaborated again. After the setting is complete, the cookie cannot be read through the js script, but the following method can be used to read
1 Cookie cookies [] = request. getCookies ();
C #
1 HttpCookie myCookie = new HttpCookie ("myCookie ");
2 myCookie. HttpOnly = true;
3 Response. AppendCookie (myCookie );
VB. NET
1 Dim myCookie As HttpCookie = new HttpCookie ("myCookie ")
2 myCookie. HttpOnly = True
3 Response. AppendCookie (myCookie)
However, in. NET 1.1, you must manually add
1 Response. Cookies [cookie]. Path + = "; HTTPOnly ";
PHP4
1 header ("Set-Cookie: hidden = value; httpOnly ");
PHP5
1 setcookie ("abc", "test", NULL, TRUE );
The last parameter is the HttpOnly attribute.
Reference
Http://www.owasp.org/index.php/HTTPOnly