如何在Angular中设置Cookie参数 ‘HttpOnly’?

huangapple go评论97阅读模式
英文:

any idea to setup Cookie parameter 'HttpOnly' using angular

问题

我尝试使用Angular来设置cookie的参数。我能够设置过期日期和安全参数,但无法设置HttpOnly参数。
我已经使用Angular Cookie服务中的以下方法来设置'Expires'和'Security':

set(name: string, value: string, expires?: number | Date, path?: string, domain?: string, secure?: boolean, sameSite?: 'Lax' | 'Strict'): void;

我找不到如何设置HttpOnly参数,因为Angular Cookie服务不包含这样的参数。有没有设置HttpOnly参数的更好方法?

请查看附件图片以获取更多信息。

英文:

I was trying to set parameters of the cookie using angular. I am able to set Expiration date and security parameter but not able to set the HttpOnly Parameter.
I have set 'Expires' and 'Security' using angular cookie service i.e "cookie.service.d.ts" using below method

set(name: string, value: string, expires?: number | Date, path?: string, domain?: string, secure?: boolean, sameSite?: 'Lax' | 'Strict'): void;

I could not find how to set the HttpOnly parameter because angular cookie service does not contain such a parameter.
any best way to set the HttpOnly parameter.

PFA..

如何在Angular中设置Cookie参数 ‘HttpOnly’?

答案1

得分: 15

"HttpOnly"标志在Cookie上表示它只能由服务器端设置和访问。客户端代码将无法访问这些Cookie。因此,您无法从客户端代码(如angular)中设置此标志。

这是一项安全功能,旨在防止客户端代码(通过XSS注入的恶意代码)读取存储在Cookie中的敏感信息。

请参考此问题此答案以获取更多信息。

此外,下面是来自MDN的文本片段:

通过JavaScript创建的Cookie不能包括HttpOnly标志。

英文:

HttpOnly flag on a cookie implies that it can be set and accessed by the server side only. Client code will not have access to such cookies. Hence you will not be able to set this flag from the client side code like angular.

This is a security feature to prevent client side code (malicious code injected through XSS) from reading sensitive information stored in cookies.

Refer this issue and this answer for more info.

Also below is the text snippet from MDN. -

> Cookies created via JavaScript cannot include the HttpOnly flag.

答案2

得分: 2

HttpOnly cookies在客户端不可访问,意味着您将无法读取或设置它。

您可以使用普通的cookie来存储授权令牌,例如JWT,您可以从后端生成。

Angular默认将所有值视为不可信任。当从模板绑定或插值中将值插入DOM时,Angular会对不可信任的值进行清理和转义。

英文:

HttpOnly cookies are not accessible from the client side, meaning you will not be able to read or set it.

You can use a regular cookie to store a authorization token like JWT which you can generate from the backend.

Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values.

huangapple
  • 本文由 发表于 2020年1月6日 19:08:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/59611002.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定