See: http://blog.yemou.net/article/query/info/tytfjhfascvhzxcyt377
1. What is HttpOnly?
If you set the HttpOnly attribute in the cookie, the cookie information will not be read through the js script, which can effectively prevent XSS attacks. For specific introduction, please search on google
2. Is the API of javaEE supported?
At present, sun company has not announced the relevant API, but both PHP and C# have realized it. Brothers engaged in javaEE are more depressed, don't worry, there are workarounds below
3. HttpOnly setting example
javaEE
|
1
2
|
response.setHeader(
"Set-Cookie"
, "cookiename=value;
Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");
|
The meaning of the specific parameters will not be explained again. After the setting is completed, the cookie cannot be read through the js script, but can be read in the following way
|
1
|
Cookie cookies[]=request.getCookies();
|
C#
|
1
2
3
|
HttpCookie myCookie =
new
HttpCookie(
"myCookie"
);
myCookie.HttpOnly =
true
;
Response.AppendCookie(myCookie);
|
VB.NET
|
1
2
3
|
Dim myCookie As HttpCookie =
new
HttpCookie(
"myCookie"
)
myCookie.HttpOnly = True
Response.AppendCookie(myCookie)
|
But in .NET 1.1, you need to manually add
|
1
|
Response.Cookies[cookie].Path +=
";HTTPOnly"
;
|
PHP4
|
1
|
header(
"Set-Cookie: hidden=value; httpOnly"
);
|
PHP5
|
1
|
setcookie(
"abc"
,
"test"
, NULL, NULL, NULL, NULL, TRUE);
|
The last parameter is the HttpOnly attribute