HTTP Only cookies without PHP 5.2
HTTP Only cookies without PHP 5.2
by Matt Mecham
on September 12, 2006
For a while, Microsoft have had a flag
for cookies called ‘httponly’. This doesn’t sound particularly
exciting, but it is a vital step forward for web application security.
This flag tells Internet Explorer to make this cookie ‘invisible’ to
javascript (and other scripting languages) which means that an XSS
attack will no longer be able to steal your sensitive cookies.
The problem is that ‘http only’ support has only just been added into PHP 5.2
. This makes this feature unavailable to most webservers.
However, there appears to be a way to force this flag to be written
regardless of your PHP version by simply adding “; HttpOnly” at the end
of the domain name when setting the cookie. PHP’s “setcookie” function
merely formats the data into a “set-cookie” header. Fortunately, PHP
doesn’t appear to filter out or escape the semi-colon so it’s added to
the end of the “set-cookie” request.
if ( PHP_VERSION < 5.2 )
{
@setcookie( $name, $value, $expires, $path, $domain. '; HttpOnly' );
}
else
{
@setcookie( $name, $value, $expires, $path, $domain, NULL, TRUE );
}
I've tested this out and it appears to work fine. IE7 shows the
"sensitive" cookie data in the document.cookie string without adding
the flag. Adding the flag onto the domain string causes the sensitive
cookies to disappear from the document.cookie string.
Firefox ignores it and sets cookies as does Safari and Opera. I'll
do some more testing and report in on my findings. I also have a
Firefox friendly version to stop access to the document.cookie which
I'll post up tomorrow.
UPDATE 14th September
I've downloaded the source to PHP 5 to make confirm that this 'hack'
will work across different platforms. The source code confirms that no
cleaning takes place on
相关文档:
function poster()
{
$URL = 'http://www.yw56.com.cn/DIY.asp'; //需要提交到的页面
//下面这段是要提交的数据
$post_data['orderid'] = "YW861736303CN";
$post_data['button'] = "提交";
$referrer="http://www.yw56.com.cn/DIY.asp";
$Cookie=&qu ......
tidy 是一个非常帮忙的网页代码分析和纠错的工具,能够支持多种页面编码,并且支持xhtml输出。如果我们偷懒,甚至可以将整个页面缓存,最后采用tidy处理,最后输出完美的xhtml代码。
linux下安装过程如下:
首先安装tidy ,下载tidy源代码:
cvs -d:pserver: anonymous@tidy.cvs.sourceforge.net 为防备电子邮件地址收集 ......
2009-10-22 09:16
|
322次阅读
|
【已有0
条评论】发表评论
关键词:PHP
| 感谢yvonne_826
的提供
|
收藏这篇新闻
日前,PHP语言及工具供应商Zend
Technologies宣布将联手云计算应用管理领军企业RightScale,帮助PHP开发者进入云计算的应用。RightScale将 ......
作者:Ekerete
翻译:Emeric Li (http://lee.kometo.com/index.php/archives/117
)
原文:http://www.avnetlabs.com/php/php ... r-vs-zend-framework
我们计划从头开始一个新项目,为此评估了一些PHP框架。我们的备选列表有CakePHP , CodeIgniter , Symfony和Zend 。 我们分别使用这4种框架编写了一个相同的小应用( ......