HttpCookie.HttpOnly 屬性
定義
重要
部分資訊涉及發行前產品,在發行之前可能會有大幅修改。 Microsoft 對此處提供的資訊,不做任何明確或隱含的瑕疵擔保。
取得或設定數值,指定 Cookie 是否由用戶端指令碼存取。
public:
property bool HttpOnly { bool get(); void set(bool value); };
public bool HttpOnly { get; set; }
member this.HttpOnly : bool with get, set
Public Property HttpOnly As Boolean
屬性值
如果 Cookie 有 true
屬性且不可以透過用戶端指令碼存取,則為 HttpOnly
,否則為 false
。 預設為 false
。
範例
下列程式碼範例示範如何撰寫 HttpOnly
Cookie,並示範用戶端如何透過 ECMAScript 存取 Cookie。
<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
void Page_Load(object sender, EventArgs e)
{
// Create a new HttpCookie.
HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// By default, the HttpOnly property is set to false
// unless specified otherwise in configuration.
myHttpCookie.Name = "MyHttpCookie";
Response.AppendCookie(myHttpCookie);
// Show the name of the cookie.
Response.Write(myHttpCookie.Name);
// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(myHttpOnlyCookie.Name);
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
if (document.cookie.length > 0)
{
begin = document.cookie.indexOf(NameOfCookie+"=");
if (begin != -1)
{
begin += NameOfCookie.length+1;
end = document.cookie.indexOf(";", begin);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(begin, end));
}
}
return null;
}
</script>
<script type="text/javascript">
// This code returns the cookie name.
alert("Getting HTTP Cookie");
alert(getCookie("MyHttpCookie"));
// Because the cookie is set to HttpOnly,
// this returns null.
alert("Getting HTTP Only Cookie");
alert(getCookie("MyHttpOnlyCookie"));
</script>
</body>
</html>
<%@ Page Language="VB" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
' Create a new HttpCookie.
Dim myHttpCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())
' By default, the HttpOnly property is set to false
' unless specified otherwise in configuration.
myHttpCookie.Name = "MyHttpCookie"
Response.AppendCookie(myHttpCookie)
' Show the name of the cookie.
Response.Write(myHttpCookie.Name)
' Create an HttpOnly cookie.
Dim myHttpOnlyCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())
' Setting the HttpOnly value to true, makes
' this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = True
myHttpOnlyCookie.Name = "MyHttpOnlyCookie"
Response.AppendCookie(myHttpOnlyCookie)
' Show the name of the HttpOnly cookie.
Response.Write(myHttpOnlyCookie.Name)
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
if (document.cookie.length > 0)
{
begin = document.cookie.indexOf(NameOfCookie+"=");
if (begin != -1)
{
begin += NameOfCookie.length+1;
end = document.cookie.indexOf(";", begin);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(begin, end));
}
}
return null;
}
</script>
<script type="text/javascript">
// This code returns the cookie name.
alert("Getting HTTP Cookie");
alert(getCookie("MyHttpCookie"));
// Because the cookie is set to HttpOnly,
// this returns null.
alert("Getting HTTP Only Cookie");
alert(getCookie("MyHttpOnlyCookie"));
</script>
</body>
</html>
備註
Microsoft Internet Explorer 第 6 版 Service Pack 1 和更新版本支援 Cookie 屬性, HttpOnly 有助於減輕造成遭竊 Cookie 的跨網站腳本威脅。 遭竊的 Cookie 可以包含識別網站的敏感性資訊,例如 ASP.NET 會話識別碼或表單驗證票證,而且攻擊者可以重新執行,以便偽裝為使用者或取得敏感性資訊。 HttpOnly
當符合規範的瀏覽器收到 Cookie 時,用戶端腳本無法存取。
警告
HttpOnly將 屬性設定為 true
不會防止具有網路通道存取權的攻擊者直接存取 Cookie。 請考慮使用安全通訊端層 (SSL) 來協助防範此情況。 工作站安全性也很重要,因為惡意使用者可以使用開啟的瀏覽器視窗或包含持續性 Cookie 的電腦,以取得具有合法使用者身分識別的網站存取權。
適用於
意見反應
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:提交並檢視相關的意見反應