开发者

Should a session cookie always be HttpOnly?

Should a session 开发者_运维技巧cookie always be HttpOnly?


There is very little reason why JavaScript should access the session cookie. The only one I've come across is one where flash had to have access to the cookie because it had to make its own requests that were authorised via the same cookies. And to give flash the cookies I had to print the cookies onto the page (which made them available to JS).

That still would have worked with HttpOnly flag set (but that flag would have been redundant).

In short, yes, set the flag.


If you only ever want to access it via HTTP (not JavaScript), then yes.

Some older browsers allowed you to dig in the headers via XHR for the cookie. I believe this has been fixed in newer versions.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜