如何使用JavaScript删除当前域的所有cookie ?
如何使用JavaScript删除当前域的所有cookie ?
我试图理解CSRF的整个问题和适当的方法来防止它。(我已经阅读、理解并同意的资源:OWASP CSRF预防小抄,关于CSRF的问题)
As I understand it, the vulnerability around CSRF is introduced by the assumption that (from the webserver's point of view) a valid session cookie in an incoming HTTP request reflects the wishes of an authenticated user. But all cookies for the origin domain are magically attached to the request by the browser, so really all the server can infer from the presence of a valid session cookie in a request is that the request comes from a browser which has an authenticated session; it cannot further assume anything about the code running in that browser, or whether it really reflects user wishes. The way to prevent this is to include additional authentication information (the "CSRF token") in the request, carried by some means other than the browser's automatic cookie handling. Loosely speaking, then, the session cookie authenticates the user/browser and the CSRF token authenticates the code running in the browser.
因此,简而言之,如果你正在使用会话cookie来验证你的web应用程序的用户,你还应该在每个响应中添加一个CSRF令牌,并在每个(变异)请求中要求一个匹配的CSRF令牌。然后CSRF令牌进行从服务器到浏览器再到服务器的往返,向服务器证明发出请求的页面是由该服务器批准的(甚至是由该服务器生成的)。
关于我的问题,这是关于往返中用于CSRF令牌的特定传输方法。
这看起来很常见(例如在AngularJS, Django, Rails中),将CSRF令牌作为一个cookie从服务器发送到客户端(即在Set-Cookie报头中),然后让客户端Javascript从cookie中抓取它,并将其作为一个单独的XSRF-TOKEN报头发送回服务器。
(另一种方法是Express推荐的方法,其中服务器生成的CSRF令牌通过服务器端模板展开包含在响应体中,直接附加到将其提供给服务器的代码/标记上,例如作为隐藏的表单输入。这个例子是一种更接近web 1.0的做事方式,但可以推广到一个更偏重于js的客户端。)
Why is it so common to use Set-Cookie as the downstream transport for the CSRF token / why is this a good idea? I imagine the authors of all these frameworks considered their options carefully and didn't get this wrong. But at first glance, using cookies to work around what's essentially a design limitation on cookies seems daft. In fact, if you used cookies as the roundtrip transport (Set-Cookie: header downstream for the server to tell the browser the CSRF token, and Cookie: header upstream for the browser to return it to the server) you would reintroduce the vulnerability you are trying to fix.
I realize that the frameworks above don't use cookies for the whole roundtrip for the CSRF token; they use Set-Cookie downstream, then something else (e.g. a X-CSRF-Token header) upstream, and this does close off the vulnerability. But even using Set-Cookie as the downstream transport is potentially misleading and dangerous; the browser will now attach the CSRF token to every request including genuine malicious XSRF requests; at best that makes the request bigger than it needs to be and at worst some well-meaning but misguided piece of server code might actually try to use it, which would be really bad. And further, since the actual intended recipient of the CSRF token is client-side Javascript, that means this cookie can't be protected with http-only. So sending the CSRF token downstream in a Set-Cookie header seems pretty suboptimal to me.
我创建cookie的功能正确吗?如何删除程序开头的cookie ?有简单的编码吗?
function createCookie(name,value,days)
function setCookie(c_name,value,1) {
document.cookie = c_name + "=" +escape(value);
}
setCookie('cookie_name',mac);
function eraseCookie(c_name) {
createCookie(cookie_name,"",-1);
}
由于奇怪的域/子域cookie问题,我得到了,我想知道浏览器如何处理cookie。如果他们用不同的方式做这件事,知道其中的区别也会很好。
换句话说,当浏览器接收到一个cookie时,该cookie可能有一个域和一个路径附加到它。或者不是,在这种情况下,浏览器可能会用一些默认值代替它们。问题1:它们是什么?
稍后,当浏览器准备发出请求时,它会检查它的cookie并过滤掉应该为该请求发送的cookie。它通过将它们与请求路径和域进行匹配来做到这一点。问题2:匹配规则是什么? 补充道:
我问这个问题是因为我对一些边缘情况感兴趣。如:
用于。example.com的cookie可以用于www.example.com吗? example.com的cookie是否可用于example.com? example.com的cookie可以用于www.example.com吗? example.com的cookie是否可用于anotherexample.com? www.example.com可以为example.com设置cookie吗? www.example.com是否可以为www2.example.com设置cookie ? www.example.com是否可以为。com设置cookie ? 等。
补充2:
还有,谁能建议一下我应该如何设置cookie,以便:
可以通过www.example.com或example.com设置; 它可以通过www.example.com和example.com访问。
我在一台机器上运行两个HTTP服务。我只是想知道它们是否共享cookie,或者浏览器是否区分这两个服务器套接字。
我有一个getter从cookie中获取值。
现在我有了两个cookie,名字分别是shares=和obligation =。
我想让这个getter只从义务cookie中获取值。
我怎么做呢?因此for语句将数据拆分为单独的值,并将其放入数组中。
function getCookie1() {
// What do I have to add here to look only in the "obligations=" cookie?
// Because now it searches all the cookies.
var elements = document.cookie.split('=');
var obligations= elements[1].split('%');
for (var i = 0; i < obligations.length - 1; i++) {
var tmp = obligations[i].split('$');
addProduct1(tmp[0], tmp[1], tmp[2], tmp[3]);
}
}
我想我的网站有一个复选框,用户可以点击,这样他们就不必每次访问我的网站时登录。我知道我需要在他们的电脑上存储一个cookie来实现这个功能,但是这个cookie应该包含什么呢?
此外,是否有一些常见的错误需要注意,以防止这个cookie出现安全漏洞,而这可以在提供“记住我”功能的同时避免?
在RESTful API中使用会话真的违反了RESTful吗?我已经看到了许多意见,但我不相信会议是不安宁的。在我看来:
rest不禁止身份验证(否则在RESTful服务中几乎没有用处) 身份验证是通过在请求中发送一个身份验证令牌来完成的,通常是头 这个身份验证令牌需要以某种方式获得,并且可能会被撤销,在这种情况下需要更新 身份验证令牌需要由服务器验证(否则就不是身份验证)
那么会话是如何违背这一点的呢?
客户端,会话是使用cookie实现的 cookie只是一个额外的HTTP报头 会话cookie可以在任何时候获得和撤销 如果需要,会话cookie可以有无限的生存时间 会话id(身份验证令牌)在服务器端得到验证
As such, to the client, a session cookie is exactly the same as any other HTTP header based authentication mechanism, except that it uses the Cookie header instead of the Authorization or some other proprietary header. If there was no session attached to the cookie value server-side, why would that make a difference? The server side implementation does not need to concern the client as long as the server behaves RESTful. As such, cookies by themselves should not make an API RESTless, and sessions are simply cookies to the client.
我的假设错了吗?是什么使会话cookie不安分?
我有两个问题。我明白,如果我在cookie中指定域名为。example.com(带前导点),那么所有子域都可以共享一个cookie。
subdomain.example.com可以访问在example.com中创建的cookie(没有www子域)吗?
example.com(没有www子域)可以访问在subdomain.example.com中创建的cookie吗?
我试图根据我在HTML中选择的CSS文件设置一个cookie。我有一个选项列表的表单,和不同的CSS文件作为值。当我选择一个文件时,它应该保存到cookie中大约一周。下次打开HTML文件时,它应该是您之前选择的文件。
JavaScript代码:
function cssLayout() {
document.getElementById("css").href = this.value;
}
function setCookie(){
var date = new Date("Februari 10, 2013");
var dateString = date.toGMTString();
var cookieString = "Css=document.getElementById("css").href" + dateString;
document.cookie = cookieString;
}
function getCookie(){
alert(document.cookie);
}
HTML代码:
<form>
Select your css layout:<br>
<select id="myList">
<option value="style-1.css">CSS1</option>
<option value="style-2.css">CSS2</option>
<option value="style-3.css">CSS3</option>
<option value="style-4.css">CSS4</option>
</select>
</form>