问题描述

我有一个不是的cookie我可以通过JavaScript将此cookie设置为 HttpOnly ？

推荐答案

HttpOnly Cookie意味着不到脚本语言（如JavaScript）。因此，JavaScript中绝对没有可用的API来获取/设置cookie的 HttpOnly 属性，否则会破坏 HttpOnly 。

A HttpOnly cookie means that it's not available to scripting languages like JavaScript. So there's in JavaScript absolutely no API available to get/set the HttpOnly attribute of the cookie, as that would otherwise defeat the meaning of HttpOnly.

只要在服务器端使用服务器端使用的任何服务器端语言进行设置即可。如果JavaScript是绝对必要的，你可以考虑让它发送一些（ajax）请求与例如。一些特定的请求参数触发服务器端语言创建一个HttpOnly Cookie。但是，这仍然会使黑客很容易改变 HttpOnly 只是XSS，仍然可以通过JS访问cookie，因此使 HttpOnly 对您的Cookie完全无用。

Just set it as such in the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary in this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create a HttpOnly cookie. But, that would still make it easy for hackers to change the HttpOnly by just XSS and still have access to the cookie via JS and thus make the HttpOnly on your cookie completely useless.