http-only的作用

httponly是微软对cookie做的扩展。这个主要是解决用户的cookie可能被盗用的问题。
    我们登陆某银行网站后,服务器会写一些cookie到我们的浏览器,当下次再访问其他页面时,由于浏览器回自动传递cookie,这样就实现了一次登陆就可以看到所有需要登陆后才能看到的内容。
也就是说,实质上,所有的登陆状态这些都是建立在cookie上的!假设我们登陆后的cookie被人获得,那就会有暴露个人信息的危险!
当然,想想,其他人怎么可以获得客户的cookie?那必然是有不怀好意的人的程序在浏览器里运行!如果是现在满天飞的流氓软件,那没有办法,httponly也不是用来解决这种情况的,它是用来解决浏览器里js访问cookie问题



php中设置httponly 


session.cookie_httponly = 1(or true)


Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
; http://php.net/session.cookie-httponly
session.cookie_httponly =


说明:http://php.net/manual/zh/session.configuration.php#ini.session.cookie-secure
session.cookie_httponly boolean
Marks the cookie as accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).




Cookie操作函数setcookie函数和setrawcookie函数也专门添加了第7个参数来做为HttpOnly的选项,开启方法为: 
 ------------------------------------------------------- 
 setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); 
 setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
 ------------------------------------------------------- 
在thinkphp中可以通过配置,惯例文件 convention.php.中 
 'COOKIE_HTTPONLY'       =>  '',      // Cookie httponly设置









你可能感兴趣的:(php)