Look, if type document.cookie on the browser console i get the current cookies an its values
If you want to secure your cookies of being accessed from javascript you can use de HttpOnly flag
Now, here is the code:If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script
java
Cookie cookie = getMyCookie("myCookieName");
cookie.setHttpOnly(true);
Web.config (.NET)
This one has the advantage that is applaied to all site cookies, not just the one explicity set
<system.web> <httpCookies httpOnlyCookies="true"/> </system.web>
c#
HttpCookie cookie = new HttpCookie(key, value); cookie.HttpOnly = true;
Now, our cookies are safer
I hope this help you
No hay comentarios:
Publicar un comentario