开发者

Zend Framework, Sessions, and HttpOnly

I wa开发者_如何学Cnt to make my session cookie HttpOnly. Based on this article, I added this to my application.ini:

resources.session.cookie_httponly = true

Unfortunately, when I look at the session cookie in Firecookie, it is not marked as HttpOnly as I have specified. What step am I missing?

Zend Framework, Sessions, and HttpOnly


Try at bootstrap to do Zend_Session::setOptions(array('cookie_httponly' => true)); ( somewhere before the session is first initialized ) tough it should work with the app.ini file too .


Add this to your application.ini file.

phpSettings.session.cookie_httponly = true


For this to be 100% safe.

The server should not allow the option http trace. The http option trace reports the session id. If a attacker can inject a java applet, flash or javascript with ajax the attacker can also steal cookies even with the httponly flag set...

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜