HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly Property

定義

取得或設定數值,指定 Cookie 是否由用戶端指令碼存取。Gets or sets a value that specifies whether a cookie is accessible by client-side script.

public:
 property bool HttpOnly { bool get(); void set(bool value); };
public bool HttpOnly { get; set; }
member this.HttpOnly : bool with get, set
Public Property HttpOnly As Boolean

屬性值

如果 Cookie 有 true 屬性且不可以透過用戶端指令碼存取,則為 HttpOnly,否則為 falsetrue if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. 預設為 falseThe default is false.

範例

下列程式碼範例示範如何撰寫HttpOnlycookie,並顯示如何不透過 ECMAScript 用戶端存取。The following code example demonstrates how to write an HttpOnly cookie and shows how it is not accessible by the client through ECMAScript.

<%@ Page Language="C#" %>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // By default, the HttpOnly property is set to false 
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";
        Response.AppendCookie(myHttpCookie);

        // Show the name of the cookie.
        Response.Write(myHttpCookie.Name);

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
        Response.AppendCookie(myHttpOnlyCookie);

        // Show the name of the HttpOnly cookie.
        Response.Write(myHttpOnlyCookie.Name);
    }
</script>


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
    if (document.cookie.length > 0) 
{ 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
   { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
      } 
  }
return null;  
}
</script>

<script type="text/javascript">

    // This code returns the cookie name.
    alert("Getting HTTP Cookie");
    alert(getCookie("MyHttpCookie"));

    // Because the cookie is set to HttpOnly,
    // this returns null.
    alert("Getting HTTP Only Cookie");
    alert(getCookie("MyHttpOnlyCookie"));

</script> 


</body>
</html>
<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
    
    ' Create a new HttpCookie.
    Dim myHttpCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' By default, the HttpOnly property is set to false 
    ' unless specified otherwise in configuration.

    myHttpCookie.Name = "MyHttpCookie"
    Response.AppendCookie(myHttpCookie)

    ' Show the name of the cookie.
    Response.Write(myHttpCookie.Name)

    ' Create an HttpOnly cookie.
    Dim myHttpOnlyCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' Setting the HttpOnly value to true, makes
    ' this cookie accessible only to ASP.NET.

    myHttpOnlyCookie.HttpOnly = True
    myHttpOnlyCookie.Name = "MyHttpOnlyCookie"
    Response.AppendCookie(myHttpOnlyCookie)

    ' Show the name of the HttpOnly cookie.
    Response.Write(myHttpOnlyCookie.Name)

  End Sub
  
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
  if (document.cookie.length > 0) 
  { 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
    { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
    } 
  }
  return null;  
}
</script>

<script type="text/javascript">

// This code returns the cookie name.
alert("Getting HTTP Cookie");
alert(getCookie("MyHttpCookie"));

// Because the cookie is set to HttpOnly,
// this returns null.
alert("Getting HTTP Only Cookie");
alert(getCookie("MyHttpOnlyCookie"));

</script> 

</body>
</html>

備註

Microsoft Internet Explorer 6 Service Pack 1 和更新版本所支援 cookie 屬性的版本HttpOnly,可協助減輕導致竊取 cookie 的跨網站指令碼威脅。Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. 竊取的 cookie 可以包含機密資訊,識別使用者,請在站台,例如 ASP.NET 工作階段識別碼或表單驗證票證,並由偽裝成使用者,或取得機密資訊以攻擊者就可以重新執行。Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. HttpOnlycookie 收到相容的瀏覽器、 用戶端指令碼無法存取。When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.

警告

設定HttpOnly屬性設true不會防止攻擊者存取的網路通道直接存取 cookie。Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. 請考慮使用 Secure Sockets Layer (SSL) 來協助防止對這。Consider using Secure Sockets Layer (SSL) to help protect against this. 工作站的安全性也是重要的因為惡意使用者可以使用開啟的瀏覽器視窗或包含永續性 cookie 的電腦來取得存取權與合法使用者的身分識別的網站。Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.

如需有關可能的攻擊,以及如何減輕這些協助此屬性的詳細資訊,請參閱 < 緩解跨網站指令碼,僅限 HTTP CookieFor more information on possible attacks and how this property can help mitigate them, see Mitigating Cross-site Scripting With HTTP-only Cookies.

適用於