1.什么是HttpOnly?
如果您在cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,具体一点的介绍请google进行搜索
2.javaEE的API是否支持?
目前sun公司还没有公布相关的API,但PHP、C#均有实现。搞javaEE的兄弟们比较郁闷了,别急下文有变通实现
3.HttpOnly的设置样例
javaEE
| 1 2 | response.setHeader( "Set-Cookie" , "cookiename=value; Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly"); |
具体参数的含义再次不做阐述,设置完毕后通过js脚本是读不到该cookie的,但使用如下方式可以读取
| 1 | Cookie cookies[]=request.getCookies(); |
C#
| 1 2 3 | HttpCookie myCookie = new HttpCookie( "myCookie" ); myCookie.HttpOnly = true ; Response.AppendCookie(myCookie); |
VB.NET
| 1 2 3 | Dim myCookie As HttpCookie = new HttpCookie( "myCookie" ) myCookie.HttpOnly = True Response.AppendCookie(myCookie) |
但是在 .NET 1.1 ,中您需要手动添加
| 1 | Response.Cookies[cookie].Path += ";HTTPOnly" ; |
PHP4
| 1 | header( "Set-Cookie: hidden=value; httpOnly" ); |
PHP5
| 1 | setcookie( "abc" , "test" , NULL, NULL, NULL, NULL, TRUE); |
最后一个参数为HttpOnly属性
----------------------------------------------------------------------------------
webBrowser
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Runtime.InteropServices;namespace WindowsFormsApplication1{ /// /// WinInet.dll wrapper /// internal static class CookieReader { private const int INTERNET_COOKIE_HTTPONLY = 0x00002000; [DllImport("wininet.dll", SetLastError = true)] private static extern bool InternetGetCookieEx( string url, string cookieName, StringBuilder cookieData, ref int size, int flags, IntPtr pReserved); public static string GetCookie(string url) { int size = 512; StringBuilder sb = new StringBuilder(size); if (!InternetGetCookieEx(url, null, sb, ref size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero)) { if (size < 0) { return null; } sb = new StringBuilder(size); if (!InternetGetCookieEx(url, null, sb, ref size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero)) { return null; } } return sb.ToString(); } }}
********************************************************************************************************************************************************
using System; using System.ComponentModel; using System.Net; using System.Runtime.InteropServices; using System.Security; using System.Security.Permissions; using System.Text; namespace CookieHandler { internal sealed class INativeMethods { #region enums public enum ErrorFlags { ERROR_INSUFFICIENT_BUFFER = 122, ERROR_INVALID_PARAMETER = 87, ERROR_NO_MORE_ITEMS = 259 } public enum InternetFlags { INTERNET_COOKIE_HTTPONLY = 8192, //Requires IE 8 or higher INTERNET_COOKIE_THIRD_PARTY = 131072, INTERNET_FLAG_RESTRICTED_ZONE = 16 } #endregion #region DLL Imports [SuppressUnmanagedCodeSecurity, SecurityCritical, DllImport("wininet.dll", EntryPoint = "InternetGetCookieExW", CharSet = CharSet.Unicode, SetLastError = true, ExactSpelling = true)] internal static extern bool InternetGetCookieEx([In] string Url, [In] string cookieName, [Out] StringBuilder cookieData, [In, Out] ref uint pchCookieData, uint flags, IntPtr reserved); #endregion } }
using System; using System.Collections.Generic; using System.ComponentModel; using System.Net; using System.Runtime.InteropServices; using System.Security; using System.Security.Permissions; using System.Text; namespace CookieHandler { /// GetCookieList(Uri uri, bool throwIfNoCookie) { Dictionary dict = new Dictionary (); string cookie = GetCookieInternal(uri, throwIfNoCookie); Console.WriteLine("FullWebBrowserCookie - 所有cookie:" + cookie); string[] arrCookie = cookie.Split(';'); foreach (var item in arrCookie) { string[] arr = item.Split('='); string key = arr[0].Trim(); string val = ""; if (arr.Length >= 2) { val = arr[1].Trim(); } if (!dict.ContainsKey(key)) { dict.Add(key, val); } } Console.WriteLine("FullWebBrowserCookie - cookie已载入dict,共" + dict.Count.ToString() + "项"); return dict; } public static string GetCookieValue(string key, Uri uri, bool throwIfNoCookie) { Console.WriteLine("GetCookieValue"); Dictionary dict = GetCookieList(uri, throwIfNoCookie); if (dict.ContainsKey(key)) { return dict[key]; } return ""; } [SecurityCritical] public static string GetCookieInternal(Uri uri, bool throwIfNoCookie) { Console.WriteLine("GetCookieInternal"); uint pchCookieData = 0; string url = UriToString(uri); uint flag = (uint)INativeMethods.InternetFlags.INTERNET_COOKIE_HTTPONLY; //Gets the size of the string builder if (INativeMethods.InternetGetCookieEx(url, null, null, ref pchCookieData, flag, IntPtr.Zero)) { pchCookieData++; StringBuilder cookieData = new StringBuilder((int)pchCookieData); //Read the cookie if (INativeMethods.InternetGetCookieEx(url, null, cookieData, ref pchCookieData, flag, IntPtr.Zero)) { DemandWebPermission(uri); return cookieData.ToString(); } } int lastErrorCode = Marshal.GetLastWin32Error(); if (throwIfNoCookie || (lastErrorCode != (int)INativeMethods.ErrorFlags.ERROR_NO_MORE_ITEMS)) { throw new Win32Exception(lastErrorCode); } return null; } private static void DemandWebPermission(Uri uri) { string uriString = UriToString(uri); if (uri.IsFile) { string localPath = uri.LocalPath; new FileIOPermission(FileIOPermissionAccess.Read, localPath).Demand(); } else { new WebPermission(NetworkAccess.Connect, uriString).Demand(); } } private static string UriToString(Uri uri) { if (uri == null) { throw new ArgumentNullException("uri"); } UriComponents components = (uri.IsAbsoluteUri ? UriComponents.AbsoluteUri : UriComponents.SerializationInfoString); return new StringBuilder(uri.GetComponents(components, UriFormat.SafeUnescaped), 2083).ToString(); } } }