HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly Property

定义

获取或设置一个值,该值指定 Cookie 是否可通过客户端脚本访问。Gets or sets a value that specifies whether a cookie is accessible by client-side script.

public:
 property bool HttpOnly { bool get(); void set(bool value); };
public bool HttpOnly { get; set; }
member this.HttpOnly : bool with get, set
Public Property HttpOnly As Boolean

属性值

如果 Cookie 具有 true 特性且不能通过客户端脚本访问,则为 HttpOnly;否则为 falsetrue if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. 默认值为 falseThe default is false.

示例

下面的代码示例演示如何编写HttpOnly cookie,并演示客户端如何通过 ECMAScript 来访问它。The following code example demonstrates how to write an HttpOnly cookie and shows how it is not accessible by the client through ECMAScript.

<%@ Page Language="C#" %>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // By default, the HttpOnly property is set to false 
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";
        Response.AppendCookie(myHttpCookie);

        // Show the name of the cookie.
        Response.Write(myHttpCookie.Name);

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
        Response.AppendCookie(myHttpOnlyCookie);

        // Show the name of the HttpOnly cookie.
        Response.Write(myHttpOnlyCookie.Name);
    }
</script>


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
    if (document.cookie.length > 0) 
{ 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
   { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
      } 
  }
return null;  
}
</script>

<script type="text/javascript">

    // This code returns the cookie name.
    alert("Getting HTTP Cookie");
    alert(getCookie("MyHttpCookie"));

    // Because the cookie is set to HttpOnly,
    // this returns null.
    alert("Getting HTTP Only Cookie");
    alert(getCookie("MyHttpOnlyCookie"));

</script> 


</body>
</html>
<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
    
    ' Create a new HttpCookie.
    Dim myHttpCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' By default, the HttpOnly property is set to false 
    ' unless specified otherwise in configuration.

    myHttpCookie.Name = "MyHttpCookie"
    Response.AppendCookie(myHttpCookie)

    ' Show the name of the cookie.
    Response.Write(myHttpCookie.Name)

    ' Create an HttpOnly cookie.
    Dim myHttpOnlyCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' Setting the HttpOnly value to true, makes
    ' this cookie accessible only to ASP.NET.

    myHttpOnlyCookie.HttpOnly = True
    myHttpOnlyCookie.Name = "MyHttpOnlyCookie"
    Response.AppendCookie(myHttpOnlyCookie)

    ' Show the name of the HttpOnly cookie.
    Response.Write(myHttpOnlyCookie.Name)

  End Sub
  
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
  if (document.cookie.length > 0) 
  { 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
    { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
    } 
  }
  return null;  
}
</script>

<script type="text/javascript">

// This code returns the cookie name.
alert("Getting HTTP Cookie");
alert(getCookie("MyHttpCookie"));

// Because the cookie is set to HttpOnly,
// this returns null.
alert("Getting HTTP Only Cookie");
alert(getCookie("MyHttpOnlyCookie"));

</script> 

</body>
</html>

注解

Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持 cookie 属性HttpOnly,这有助于缓解导致盗用 cookie 的跨站点脚本威胁。Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. 被盗的 cookie 可以包含将用户标识到站点的敏感信息,例如 ASP.NET 会话 ID 或 forms 身份验证票证,攻击者可能会重播这些信息来伪装为用户或获取敏感信息。Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. 当兼容的浏览器收到cookie时,客户端脚本将无法访问该cookie。HttpOnlyWhen an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.

注意

将属性设置为true不会阻止访问网络通道的攻击者直接访问 cookie。 HttpOnlySetting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. 请考虑使用安全套接字层(SSL)来帮助防范这种情况。Consider using Secure Sockets Layer (SSL) to help protect against this. 工作站安全也很重要,因为恶意用户可以使用打开的浏览器窗口或包含持久 cookie 的计算机,以获取对具有合法用户身份的网站的访问权限。Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.

有关可能的攻击以及此属性如何帮助缓解这些攻击的详细信息,请参阅用仅限 HTTP 的 Cookie 缓解跨站点脚本For more information on possible attacks and how this property can help mitigate them, see Mitigating Cross-site Scripting With HTTP-only Cookies.

适用于