1. Sensitive information saved in cookies must be encrypted
2. Set HttpOnly to true
1. The value of this attribute The function is to prevent the cookie value from being read by the page script.
2. However, setting the HttpOnly attribute only increases the difficulty for attackers. The threat of cookie theft is not completely eliminated, because the cookie may still be intercepted and captured during the delivery process and the information will leak.
3. Set Secure to true
1. When setting this attribute for a cookie, the browser will only send the cookie when accessed under the https protocol.
2. Set the cookie to secure, which only ensures that the data transmission process between the cookie and the WEB server is encrypted, and the cookie file stored locally is not encrypted. If you want local cookies to be encrypted, you have to encrypt the data yourself.
4. Set the validity period for the cookie
1. If the validity period is not set, if the user obtains the user's cookie, he or she can always log in as the user.
2. When setting up Cookie authentication, you need to add two times, one is the "expiration time even if it has been active", and the other is the "expiration time of long-term inactivity", and in In web applications, first determine whether the two times have timed out, and then perform other operations.
The above is the detailed content of How to improve cookie security. For more information, please follow other related articles on the PHP Chinese website!