一般網站常用cookie來記錄使用者的token,重要的cookie請使用http only來做保護。
HttpOnly cookies can in fact be remarkably effective. Here's what we know:
HttpOnly cookies can in fact be remarkably effective. Here's what we know:
- HttpOnly restricts all access to
document.cookiein IE7, Firefox 3, and Opera 9.5 (unsure about Safari) - HttpOnly removes cookie information from the response headers in
XMLHttpObject.getAllResponseHeaders()in IE7. It should do the same thing in Firefox, but it doesn't, because there's a bug. XMLHttpObjectsmay only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.
沒有留言:
張貼留言
留個話吧:)