问题描述
- Cookie漏洞,求大神帮忙看下
-
Vulnerabilities:"Cookie set insecurely: "
"Secure cookie set outside a page served via SSL: "
"Found a persistent cookie: "
"Cookies that could be cached at proxies: "
"Cookie does not have HTTP-Only attribute: "
RemediationInsecure Cookies: For security of sensitive information, cookies must be marked as secure and only be transmitted if the communications channel with the host is a secure one. Servers should use SSL in this case.
HTTPOnly Cookies: To avoid access and manipulation of cookies in the script, the HTTPOnly attribute should be set for the cookie.
Cacheable Cookies: If the cookie is intended for use by a single user(for private documents), the Set-cookie header should not be cached. To suppress caching of the Set-Cookie header, the origin server should send Cache-control: no-cache="set-cookie" response header.
Persistent Cookies: Cookie which is used to store session-id information should not be persistent; expires or max age attribute for the cookie should be set accordingly, so that cookie information is valid only for the session.
解决方案
这应该是安全产品扫描出来的吧
- cookie设置的时候没有通过SSL安全通道,等于是应该网站服务器用HTTPS方式设置cookie
- cookie设置成永久了,应该网站服务器对cookie打开HTTP-Only的属性,这样可以防止被人利用。