Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
882 views
in Technique[技术] by (71.8m points)

web services - Logout with HttpOnly cookie

I can see that HttpOnly cookies are good for security, however they make logging out without server interaction impossible, right?1 So when the network fails, you can't log out and leave. I can imagine a workaround, but I'd like to ask first

  • does it make sense to handle this case
  • are there any standard solutions for this?

1 Assuming you're actually using them.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

If by logging out you mean removing the session cookie, then no, you cannot remove HttpOnly cookies from Javascript. It is, however, easy to set up two cookies, one HttpOnly and one insecure, such that only a combination of the two is a valid session key. Removing either cookie would destroy the session.

If your service is sensitive, it does make sense to handle all realistic threat scenarios, and this one is pretty realistic.

Setting up two cookies, one of which is HttpOnly, is actually common in the standard CSRF prevention technique. I have not seen it in your specific scenario but it very similar to the anti-CSRF case, and looks like an obvious and easy application of the general twoo-cookies idea.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...