Session Cookie without HttpOnly flag set

时间:2022-05-15 01:41:23

I have joust built a website with a login system. After I've just got ready I have scanned it with Acunetix, but I got the following message:

我已经建立了一个带登录系统的网站。在我准备好之后,我用Acunetix扫描了它,但是我得到了以下消息:

Session Cookie without HttpOnly flag set Session Cookie without Secure flag set (i guess this is only if I have SSL connection)

会话Cookie没有HttpOnly标志设置会话Cookie没有安全标志设置(我想这只有我有SSL连接)

So my question would be, that how can I set HttpOnly flag for all my Session data? I'm just using sessions when I log in the users. I'm giving them a session with their userID number and than I'm getting data using that userID.

所以我的问题是,如何为我的所有Session数据设置HttpOnly标志?我只是在登录用户时使用会话。我给他们一个带有userID号的会话,而不是我使用那个userID获取数据。

Is there any simple way that I can set ALL of the session HTTPOnly and secure them, so noone can touch them?

有没有简单的方法可以设置所有会话HTTPOnly并保护它们,所以没有人可以触摸它们?

3 个解决方案

#1


7  

You can either change settings in php.ini, or via ini_set() calls to change session.cookie_secure and session.cookie_httponly values to true.

您可以更改php.ini中的设置,也可以通过ini_set()调用将session.cookie_secure和session.cookie_httponly值更改为true。

Alternately, you can use session_set_cookie_params() before starting your session to get the effect you are looking for.

或者,您可以在开始会话之前使用session_set_cookie_params()来获得您正在寻找的效果。

http://us3.php.net/manual/en/function.session-set-cookie-params.php

#2


1  

You should check out this excellent site for this question. It comes down to setting it in the sessions-section of your php.ini (or via the appropriate runtime function):

你应该看看这个问题的优秀网站。它归结为在php.ini的sessions-section中设置它(或通过适当的运行时函数):

session.cookie_httponly = True

#3


0  

You could also just set the httponly flag to false when you use PHP's setcookie:

您还可以在使用PHP的setcookie时将httponly标志设置为false:

// params: name, value, expiration, path, domain, secure, http-only
setcookie('session-cookie-key', 'data', 0, '/', 'example.com', true, false);

#1


7  

You can either change settings in php.ini, or via ini_set() calls to change session.cookie_secure and session.cookie_httponly values to true.

您可以更改php.ini中的设置,也可以通过ini_set()调用将session.cookie_secure和session.cookie_httponly值更改为true。

Alternately, you can use session_set_cookie_params() before starting your session to get the effect you are looking for.

或者,您可以在开始会话之前使用session_set_cookie_params()来获得您正在寻找的效果。

http://us3.php.net/manual/en/function.session-set-cookie-params.php

#2


1  

You should check out this excellent site for this question. It comes down to setting it in the sessions-section of your php.ini (or via the appropriate runtime function):

你应该看看这个问题的优秀网站。它归结为在php.ini的sessions-section中设置它(或通过适当的运行时函数):

session.cookie_httponly = True

#3


0  

You could also just set the httponly flag to false when you use PHP's setcookie:

您还可以在使用PHP的setcookie时将httponly标志设置为false:

// params: name, value, expiration, path, domain, secure, http-only
setcookie('session-cookie-key', 'data', 0, '/', 'example.com', true, false);