The HttpOnly and secure attributes of Cookie in Http

CookieGrammar:

CookieTypically sent to the client as HTTP response headers, the following example shows the corresponding syntax (note that the HttpOnly property is case-insensitive):

HtmlCodeCollection code ></div> </div> <ol class=
  • Set-Cookie: =[; =]  
  • [; expires=][; domain=]  
  • [; path=][; secure][; HttpOnly] 

    • Attribute meaning

    1 secureattribute

    When set to true, the created Cookie is transmitted to the server in a secure manner, that is, it can only be passed to the server side for session validation by the browser in an HTTPS connection, and it will not be passed to the server if it is an HTTP connection, so it will not be stolen.The specific content of Cookie.

    2 HttpOnlyattribute

     

    If the “HttpOnly” property is set in the cookie, the cookie information can not be read through the program (JS scripts, Applets, etc.), thus effectively preventing XSS attacks.

    Note: sometimes the cookie statement is invalid if the HttpOnly parameter is not specified as true.
    //@setcookie(“_mcloudauth”, “”, time() – 3600);
    @setcookie(‘_mcloudauthcookie’, ”, time() – 3600, ‘/’, NULL, NULL, true);

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *