问题描述

Cookie漏洞，求大神帮忙看下

Vulnerabilities:

"Cookie set insecurely: "

"Secure cookie set outside a page served via SSL: "

"Found a persistent cookie: "

"Cookies that could be cached at proxies: "

"Cookie does not have HTTP-Only attribute: "
Remediation

Insecure Cookies: For security of sensitive information, cookies must be marked as secure and only be transmitted if the communications channel with the host is a secure one. Servers should use SSL in this case.

HTTPOnly Cookies: To avoid access and manipulation of cookies in the script, the HTTPOnly attribute should be set for the cookie.

Cacheable Cookies: If the cookie is intended for use by a single user(for private documents), the Set-cookie header should not be cached. To suppress caching of the Set-Cookie header, the origin server should send Cache-control: no-cache="set-cookie" response header.

Persistent Cookies: Cookie which is used to store session-id information should not be persistent; expires or max age attribute for the cookie should be set accordingly, so that cookie information is valid only for the session.

解决方案

这应该是安全产品扫描出来的吧

1. cookie设置的时候没有通过SSL安全通道，等于是应该网站服务器用HTTPS方式设置cookie
2. cookie设置成永久了，应该网站服务器对cookie打开HTTP-Only的属性，这样可以防止被人利用。