Ò׽ؽØͼÈí¼þ¡¢µ¥Îļþ¡¢Ãâ°²×°¡¢´¿ÂÌÉ«¡¢½ö160KB

httpOnly cookie flag support in PHP 5.2

http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html
Thanks to a patch from Scott
MacVicar that I've just applied to CVS, PHP 5.2 will have support for
httpOnly cookie flag. This neat little feature allows you to mark a
newly created cookie as HTTP only, another words inaccessible to
browser based scripting languages such as JavaScript. This means it
would become far more difficult, if not impossible to steal a user's
cookie based session by injecting JavaScript into a page and then using
to read cookies.
This flag can be toggled by passing TRUE as the 7th parameter to the
setcookie() and the setrawcookie() functions respectively. Ex:
PHP:
<?
php
setcookie
(
"abc"

"test"

NULL

NULL

NULL

NULL

TRUE
); 
setrawcookie
(
"abc"

"test"

NULL

NULL

NULL

NULL

TRUE
); 
?>
The support of the httpOnly flag extends to the session extension as
well, where it can be enabled by setting the session.cookie_httponly
INI setting to 1. Or passing TRUE as the 5th parameter to the
session_set_cookie_params() function.
PHP:
<?
php
ini_set
(
"session.cookie_httponly"

1
);
// or
session_set_cookie_params
(
0

NULL

NULL

NULL

TRUE
);
?>
Unfortunately, at this time according to my tests no other browser has
adopted this rather handy feature, but with the continual increase of
XSS attacks, I am sure they'll adopt this concept soon.
For people using PHP 4 and PHP 5.1 you can add this flag yourself by
sending cookies manually via the header function and prefixing the
;httpOnly flag to the cookie as shown in the example below:
PHP:
<?
php
header
(
"Set-Cookie: hidden=value; httpOnly"
);
?>



Ïà¹ØÎĵµ£º

phpÇëÇówebservice³¬Ê±ÉèÖÃ

ÎÒÃǵĵ绰±¨ÃûϵͳÖУ¬ºô½ÐÖÐÐÄÊÕ¼¯ÁËÓû§µÄÒøÐÐÐÅÏ¢£¬È»ºóÇëÇóÒøÐеÄÖ§¸¶½Ó¿ÚµÄwebservice£¬ÐèÒª½øÐг¬Ê±ÉèÖã¬ÒòΪ²»ÄÜÒ»Ö±ÈÃѧԱµÈ´ý
½â¾ö·½·¨ÊÇ
1:Ê×ÏÈÏÈÒª¿´Ò»ÏÂphp.iniÀïµÄĬÈϳ¬Ê±Ê±¼ä£¬Ò»°ãÊÇ120Ãë
2£ºÔÚphp´úÂëÀï¼ÓÉÏ
ini_set('default_socket_timeout', 10);//ÉèÖó¬Ê±Ê±¼ä
ÈçÏÂͼ
......

PHPµÄMVCʵÏÖ

¸ÕѧPHPµÄMVC,ÍøÉÏÕÒÀ´µãÎÄÕÂѧϰ,·ÖÏíÏÂ
      ASP£¬JSP£¬PHPÊÇWEB¿ª·¢µÄÈý´ó¼¼Êõ£¬ÈýÖÖ¼¼ÊõÓÅȱµãÒ²Ôç¾ÍÓÐÈË·ÖÎö¹ýÁË¡£ÎÞ·ÇÒ²¾ÍÊÇASP¼òµ¥Ò×ÓÃÇÒÓÐmicrosoft×ö¿¿É½£¬JSP¹¦ÄÜÇ¿´óÊÇÒòΪÓÐjavaÖ§³Ö£¬PHPÔò¿ªÔ´¿çƽ̨¡£ÔÚ¹úÄÚ£¬ASPÓ¦Ó÷¶Î§×î¹ã£¬JSP·¢Õ¹ÊÆÍ·×îÃÍ£¬PHPÔò´¦ÓÚÁÓÊÆ¡£Õâ¿ÉÄÜÓë¹«Ë ......

PHPÖÐsessionÓëcookieµÄÇø±ð

 1. PHPµÄCOOKIE
cookie ÊÇÒ»ÖÖÔÚÔ¶³Ìä¯ÀÀÆ÷¶Ë´¢´æÊý¾Ý²¢ÒÔ´ËÀ´¸ú×ÙºÍʶ±ðÓû§µÄ»úÖÆ¡£
PHPÔÚhttpЭÒéµÄÍ·ÐÅÏ¢Àï·¢ËÍcookie, Òò´Ë setcookie() º¯Êý±ØÐëÔÚÆäËüÐÅÏ¢±»Êä³öµ½ä¯ÀÀÆ÷Ç°µ÷Óã¬ÕâºÍ¶Ô header() º¯ÊýµÄÏÞÖÆÀàËÆ¡£
1.1 ÉèÖÃcookie:
    ¿ÉÒÔ ......

HTTP Only cookies without PHP 5.2


HTTP Only cookies without PHP 5.2
by Matt Mecham
on September 12, 2006
For a while, Microsoft have had a flag
for cookies called ‘httponly’. This doesn’t sound particularly
exciting, but it is a vital step forward for web application security.
This flag tells Internet Expl ......
© 2009 ej38.com All Rights Reserved. ¹ØÓÚE½¡ÍøÁªÏµÎÒÃÇ | Õ¾µãµØͼ | ¸ÓICP±¸09004571ºÅ