Does https connection secure cookies and prevents XSS attacks. I have a simple blog that allows users to enter JavaScript code as an input. I want to allow Javascript input by the user while still preventing XSS attacks and cookie stealing. Does https help secure cookies. I only found few sites that talks about this and still a bit unclear.
https连接是否保护cookie并防止XSS攻击。我有一个简单的博客,允许用户输入JavaScript代码作为输入。我希望允许用户进行Javascript输入,同时仍然防止XSS攻击和cookie窃取。https是否有助于保护cookie。我只找到了很少的网站谈论这个,但仍然有点不清楚。
4 个解决方案
#1
7
HTTPS can prevent a man-in-the-middle attack, not XSS. Unfortunately the session cookie is not secure with this alone, one can request a page with HTTP and then the same cookie will be sent unprotected.
HTTPS可以防止中间人攻击,而不是XSS。不幸的是,会话cookie本身并不安全,可以使用HTTP请求一个页面,然后不受保护地发送相同的cookie。
To ensure that the session cookie is sent only on HTTPS connections, you can use the function session_set_cookie_params() before starting the session:
为了确保会话cookie只在HTTPS连接上发送,您可以在开始会话之前使用函数session_set_cookie_params():
session_set_cookie_params(0, '/', '', true, true);
session_start();
Note the first true, it means that the cookie will be sent only to HTTPS pages. The second true tells the browser, that JavaScript must not access the session cookie, it depends on the browser if that is done correctly.
注意第一个事实,它意味着cookie将只发送到HTTPS页面。第二个true告诉浏览器,JavaScript不能访问会话cookie,这取决于浏览器是否做对了。
Another good way to make your site safer is, to use the session cookie only for maintaining the session, and using a second cookie to take care of the authentication. I can provide an example if you are interested.
另一种提高站点安全性的好方法是,只使用会话cookie来维护会话,并使用第二个cookie来处理身份验证。如果你感兴趣的话,我可以举个例子。
#2
4
The HTTP protocol (HTTPS or HTTP) does not help with XSS or really have any relation. You'll need to add preventative measures and be careful where you output the javascript to the client.
HTTP协议(HTTPS或HTTP)对XSS没有帮助,也没有任何关系。您将需要添加预防措施,并小心地将javascript输出到客户端。
#3
1
Once you've allowed someone to dynamically store and execute arbitrary JavaScript on your site, they have access to a lot of stuff you would want them to leave alone. At a minimum, they can hijack your PHP Session ID (they'll have access to your cookies, after all) and then use Ajax to forward it to some remote server. Once they have that, they can then do all sorts of crap to your users.
一旦你允许某人在你的站点上动态地存储和执行任意的JavaScript,他们就可以访问很多你想让他们远离的东西。至少,他们可以劫持您的PHP会话ID(毕竟他们可以访问您的cookie),然后使用Ajax将其转发到某个远程服务器。一旦他们有了这些,他们就可以对你的用户做各种各样的废话。
If you have to let them add their own JavaScript, I would recommend that you specifically disable all Ajax functionality (XMLHTTPRequest = function(){} prevents all Ajax pretty easily on most browsers, but you might need to look into what IE needs (I don't know what ActiveXObject = function(){} will do...)). Unfortunately, you can't prevent access to cookies if you have any expectation of using them (i.e. if you have a session), so you will need to find some other workaround.
如果您必须让他们添加自己的JavaScript,我建议您特别禁用所有Ajax功能(XMLHTTPRequest = function(){}在大多数浏览器上都很容易阻止所有的Ajax,但是您可能需要查看IE需要什么(我不知道ActiveXObject = function(){}会做什么)。不幸的是,如果您希望使用cookie(例如,如果您有一个会话),您不能阻止对cookie的访问,因此您将需要找到其他的解决方案。
#4
1
If you want users to be able to input JavaScript code, but not have it parsed, run it through htmlspecialchars. If you want them to be able to execute code, then no, HTTPS won't help, and you're going to need to parse the code and remove anything bad from it.
如果您希望用户能够输入JavaScript代码,但不需要解析它,可以通过htmlspecialchars运行它。如果您希望它们能够执行代码,那么不,HTTPS将不起作用,您将需要解析代码并从中删除任何不好的内容。
#1
7
HTTPS can prevent a man-in-the-middle attack, not XSS. Unfortunately the session cookie is not secure with this alone, one can request a page with HTTP and then the same cookie will be sent unprotected.
HTTPS可以防止中间人攻击,而不是XSS。不幸的是,会话cookie本身并不安全,可以使用HTTP请求一个页面,然后不受保护地发送相同的cookie。
To ensure that the session cookie is sent only on HTTPS connections, you can use the function session_set_cookie_params() before starting the session:
为了确保会话cookie只在HTTPS连接上发送,您可以在开始会话之前使用函数session_set_cookie_params():
session_set_cookie_params(0, '/', '', true, true);
session_start();
Note the first true, it means that the cookie will be sent only to HTTPS pages. The second true tells the browser, that JavaScript must not access the session cookie, it depends on the browser if that is done correctly.
注意第一个事实,它意味着cookie将只发送到HTTPS页面。第二个true告诉浏览器,JavaScript不能访问会话cookie,这取决于浏览器是否做对了。
Another good way to make your site safer is, to use the session cookie only for maintaining the session, and using a second cookie to take care of the authentication. I can provide an example if you are interested.
另一种提高站点安全性的好方法是,只使用会话cookie来维护会话,并使用第二个cookie来处理身份验证。如果你感兴趣的话,我可以举个例子。
#2
4
The HTTP protocol (HTTPS or HTTP) does not help with XSS or really have any relation. You'll need to add preventative measures and be careful where you output the javascript to the client.
HTTP协议(HTTPS或HTTP)对XSS没有帮助,也没有任何关系。您将需要添加预防措施,并小心地将javascript输出到客户端。
#3
1
Once you've allowed someone to dynamically store and execute arbitrary JavaScript on your site, they have access to a lot of stuff you would want them to leave alone. At a minimum, they can hijack your PHP Session ID (they'll have access to your cookies, after all) and then use Ajax to forward it to some remote server. Once they have that, they can then do all sorts of crap to your users.
一旦你允许某人在你的站点上动态地存储和执行任意的JavaScript,他们就可以访问很多你想让他们远离的东西。至少,他们可以劫持您的PHP会话ID(毕竟他们可以访问您的cookie),然后使用Ajax将其转发到某个远程服务器。一旦他们有了这些,他们就可以对你的用户做各种各样的废话。
If you have to let them add their own JavaScript, I would recommend that you specifically disable all Ajax functionality (XMLHTTPRequest = function(){} prevents all Ajax pretty easily on most browsers, but you might need to look into what IE needs (I don't know what ActiveXObject = function(){} will do...)). Unfortunately, you can't prevent access to cookies if you have any expectation of using them (i.e. if you have a session), so you will need to find some other workaround.
如果您必须让他们添加自己的JavaScript,我建议您特别禁用所有Ajax功能(XMLHTTPRequest = function(){}在大多数浏览器上都很容易阻止所有的Ajax,但是您可能需要查看IE需要什么(我不知道ActiveXObject = function(){}会做什么)。不幸的是,如果您希望使用cookie(例如,如果您有一个会话),您不能阻止对cookie的访问,因此您将需要找到其他的解决方案。
#4
1
If you want users to be able to input JavaScript code, but not have it parsed, run it through htmlspecialchars. If you want them to be able to execute code, then no, HTTPS won't help, and you're going to need to parse the code and remove anything bad from it.
如果您希望用户能够输入JavaScript代码,但不需要解析它,可以通过htmlspecialchars运行它。如果您希望它们能够执行代码,那么不,HTTPS将不起作用,您将需要解析代码并从中删除任何不好的内容。