本文介绍了会话Cookie安全/ httponly的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在互联网上搜索的时间很长,但我没有找到令人满意的答案。

I was searching the internet quite a time but I didn't find a satisfying answer to my question.

我必须从某个http获取一个json对象现场。我通过http获取请求(网站仅通过http提供)。该网站以会话cookie响应:

I have to get a json object from a certain http site. I do this with a get-request over http (site is available only over http). The site responds with a session cookie:

我的第一个问题是为何在httponly& amp;安全标志被设置??

My first question is why the cookie is sent over http when httponly & secure flag are set??

在我得到json对象后,我必须做一些奇特的东西并将json对象发送回同一域的其他站点。此网站也只能通过http。 (我在python中使用python-requests执行请求,并使用requests.session()处理cookie,因此没有问题)。当我通过mitmproxy查看我的请求的标题时,我看到没有设置cookie并且页面响应我的COOKIE在哪里?

After I get the json object I have to do some fancy stuff and send a json object back to an other site of the same domain. Also this site is available only via http. (I do the requests in python with python-requests and use requests.session() for dealing with the cookies so no problem there). When I look through the header of my request with mitmproxy I see that no cookie is set and the page responds with "WHERE'S MY COOKIE??"

我认为问题是与httponly& sercur标志。我只是不知道如何处理它因为页面只能通过http而不是https?

I think the problem is with httponly & sercur flag. I just don't know how to deal with it because the page is only available over http and not https?

推荐答案

安全属性指示客户端/浏览器仅在使用安全通道时返回cookie,但是这样的cookie可以由应用程序/服务器通过普通HTTP设置到客户端/浏览器上。你是正确的安全标志导致问题和AFAIK没有办法解决它

Secure attribute instructs the client/browser to only return the cookie when using a secure channel, but such a cookie can be set by the application/server on to the client/browser over normal HTTP. You are correct the secure flag is causing the problem and AFAIK there is no way to work around it

这篇关于会话Cookie安全/ httponly的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-26 03:10
查看更多