Ask Question Forum:
Model Library:2025-02-08 Updated:A.I. model is online for auto reply question page
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by duncanb7
at 2024-08-17 10:31:15
ModifyPoint:500 Replies:8 POST_ID:828750USER_ID:11059
Topic:
JavaScript;PHP Scripting Language;WordPress
Since wordpress is setting all its cookie for httponly so I seek help from the following thread and get it done. And I can use wordpress login process for my new
theme authority check when they are going or logging to my new theme
http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28215476.html#a39417001
My question is only 2
1- If the user already have authority right to access wordpress login page and the cookie is
stored in its browser, why it is still using httponly for his cookies ?
I thought there is no different httponly true or false becoz he is already given auth right
and cookie to store in his browser
What is benefit we can get from httponly for security ? and I have
seen in google search, httponly is leakage or no use for security logging into page, Why ?
2- I have seen a lot of website , they are using periodical function or ajax, for example,
1 time in 1 minute(1/per min) to refresh the current page in order to
keep the current page auth right,for example, wordpress/wp-admin/admin-ajax.php, Why, is it needed ?
Please advise
Duncan
theme authority check when they are going or logging to my new theme
http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28215476.html#a39417001
My question is only 2
1- If the user already have authority right to access wordpress login page and the cookie is
stored in its browser, why it is still using httponly for his cookies ?
I thought there is no different httponly true or false becoz he is already given auth right
and cookie to store in his browser
What is benefit we can get from httponly for security ? and I have
seen in google search, httponly is leakage or no use for security logging into page, Why ?
2- I have seen a lot of website , they are using periodical function or ajax, for example,
1 time in 1 minute(1/per min) to refresh the current page in order to
keep the current page auth right,for example, wordpress/wp-admin/admin-ajax.php, Why, is it needed ?
Please advise
Duncan
Author: duncanb7 replied at 2024-08-18 10:24:09
I'm still not understandd httponly completely,at least better, anyway, and thanks for your reminder
New version of Broswer limits XSS attracter to get client cookie from client-side javascript
Httponly is set for only the website server with setting setcookie() with the exact domain and path to be allowed to access the client corresponding cookie only
I will open new thread tomorrow for
"whether we can access cookie at different path within same domain ? "
I try your example php script before, it is ONLY allowed me to access the client(my desktop) cookie
at the exact location which is specified in the path of cookie such as
domain:mysite.com
path: /wordpress/wp-admin/
Duncan
New version of Broswer limits XSS attracter to get client cookie from client-side javascript
Httponly is set for only the website server with setting setcookie() with the exact domain and path to be allowed to access the client corresponding cookie only
I will open new thread tomorrow for
"whether we can access cookie at different path within same domain ? "
I try your example php script before, it is ONLY allowed me to access the client(my desktop) cookie
at the exact location which is specified in the path of cookie such as
domain:mysite.com
path: /wordpress/wp-admin/
Duncan
Expert: Ray Paseur replied at 2024-08-18 08:34:02
No @duncanb7, httponly does not have any effect on which sites can access your cookies. Browsers only return the cookies to the sites that set them, and only to the appropriate requests that address the path and subdomain. The httponly designation tells the browser that it is to provide the cookie in response to HTTP requests. That means the browser is not to provide the cookie to JavaScript.
The standard end-of-life of the PHP session is 24 minutes of inactivity.
For any future visitor who stumbles across this thread, please read the articles that are linked above instead of relying on the accepted answers!
The standard end-of-life of the PHP session is 24 minutes of inactivity.
For any future visitor who stumbles across this thread, please read the articles that are linked above instead of relying on the accepted answers!
Author: duncanb7 replied at 2024-08-17 23:15:32
Thanks for all of replies, now understood more
Httponly true is important to limit XSS attacker to get my cookie information by javascript,
for example, attacker can send email with a link to me, I am not careful to click the link
from the email in which it is javascript to do some command such as document.cookie...etc
to record all my information, and then do some my info decoding to log into the wbesite
I logged in before if my cookie is set for httponly false.
So in other word, httponly true mean which website is your authority website who can
access your cookie with proven authority only, other than that sites are not alloswd
Duncan
Httponly true is important to limit XSS attacker to get my cookie information by javascript,
for example, attacker can send email with a link to me, I am not careful to click the link
from the email in which it is javascript to do some command such as document.cookie...etc
to record all my information, and then do some my info decoding to log into the wbesite
I logged in before if my cookie is set for httponly false.
So in other word, httponly true mean which website is your authority website who can
access your cookie with proven authority only, other than that sites are not alloswd
Duncan
Accepted Solution
Expert: Slick812 replied at 2024-08-17 21:45:24
300 points EXCELLENT
hello duncanb7, , there are several things you should know about web cookies, learning what and how they are set up and handled in web browsers. The way you are asking your questions about web cookies, may not get you an answer here, that lets you know what you are wondering about.
Here is an informative page at WIKI about web cookies -
http://en.wikipedia.org/wiki/HTTP_cookie
some to consider from that WIKI -
"Cookies were designed to be a reliable mechanism for websites to remember stateful information stored in a browser"
"Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not"
"HttpOnly cookie
The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs like JavaScript. This restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS). This feature applies only to session-management cookies, and not other browser cookies."
"Secure cookie
A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping. This is different than a httpOnly cookie!"
= = = = = = = = = = = = = =
you ask -
1- If the user already have authority right to access wordpress login page and the cookie is
stored in its browser, why it is still using httponly for his cookies ?
This is an attempt for security, to keep a web page javascript from getting and sending-using a "Session" or "Login" cookie, it is suppose to prevent javascript XSS (cross-site scripting ), where some inserted script (from a user in a forum or blog comment post from page form) reads the session cookie and sends it to another server to use "improperly" to get into that account with the cookie credentials.
Here is a WIKI with info about this -
http://en.wikipedia.org/wiki/Cross-site_scripting
From that page -
"By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. "
- - - - - -
also ask -
"2- I have seen a lot of website , they are using periodical function or ajax, for example,
1 time in 1 minute(1/per min) to refresh the current page in order to
keep the current page auth right,for example, wordpress/wp-admin/admin-ajax.php, Why, is it needed ?"
Updating with Ajax may not have anything to do with the cookies, or security or session-time-outs , I do not know why the wordpress administration page get an ajax return every minute, it may just be updating the statistics about site hits or user posts, or changing information, But it can also make sure that your session does not "Time Out" if you are writting a new page and it takes more than 15 minutes of work Some servers have session Time-Outs of 15 minutes from the last access of PHP Session, others have it set to a different amount, even if the session cookie lasts a year, the Session data is GONE if there is no session access ON THE SERVER in 15 minutes (or time set).
Some of the above information like preventing the insertion of script in blog comments should be dealt with in another question here, but I hope this give you some about cookies.
Why are you so concerned about the server side httponly cookies, I do not see that would be a problem in server side PHP code?
Here is an informative page at WIKI about web cookies -
http://en.wikipedia.org/wiki/HTTP_cookie
some to consider from that WIKI -
"Cookies were designed to be a reliable mechanism for websites to remember stateful information stored in a browser"
"Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not"
"HttpOnly cookie
The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs like JavaScript. This restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS). This feature applies only to session-management cookies, and not other browser cookies."
"Secure cookie
A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping. This is different than a httpOnly cookie!"
= = = = = = = = = = = = = =
you ask -
1- If the user already have authority right to access wordpress login page and the cookie is
stored in its browser, why it is still using httponly for his cookies ?
This is an attempt for security, to keep a web page javascript from getting and sending-using a "Session" or "Login" cookie, it is suppose to prevent javascript XSS (cross-site scripting ), where some inserted script (from a user in a forum or blog comment post from page form) reads the session cookie and sends it to another server to use "improperly" to get into that account with the cookie credentials.
Here is a WIKI with info about this -
http://en.wikipedia.org/wiki/Cross-site_scripting
From that page -
"By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. "
- - - - - -
also ask -
"2- I have seen a lot of website , they are using periodical function or ajax, for example,
1 time in 1 minute(1/per min) to refresh the current page in order to
keep the current page auth right,for example, wordpress/wp-admin/admin-ajax.php, Why, is it needed ?"
Updating with Ajax may not have anything to do with the cookies, or security or session-time-outs , I do not know why the wordpress administration page get an ajax return every minute, it may just be updating the statistics about site hits or user posts, or changing information, But it can also make sure that your session does not "Time Out" if you are writting a new page and it takes more than 15 minutes of work Some servers have session Time-Outs of 15 minutes from the last access of PHP Session, others have it set to a different amount, even if the session cookie lasts a year, the Session data is GONE if there is no session access ON THE SERVER in 15 minutes (or time set).
Some of the above information like preventing the insertion of script in blog comments should be dealt with in another question here, but I hope this give you some about cookies.
Why are you so concerned about the server side httponly cookies, I do not see that would be a problem in server side PHP code?
Assisted Solution
Expert: Ray Paseur replied at 2024-08-17 11:54:14
100 points EXCELLENT
Please see http://php.net/manual/en/function.setcookie.php which seems to dispute the claim in this post.
With respect to PHP sessions, this article may be helpful.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
If you have questions about how HTTP Client / Server protocols work in practice, this article should explain many of the important details.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html
HTH, ~Ray
httponly = true means this cookie cannot be used on a secure site (one beginning with "https://").
I read this differently. HTTP-Only cookies can be used on HTTPS. They are not supposed to be returned to JavaScript, but that is a decision of the browser and may not be 100% implemented, especially if the client is using a rogue browser.Secure indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).
HttpOnly, when TRUE, the cookie will be made accessible only through the HTTP protocol*. This means that the cookie won't be accessible by scripting languages, such as JavaScript. It has been suggested that this setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers), but that claim is often disputed. Added in PHP 5.2.0. TRUE or FALSE
* The HTTP protocol includes HTTPS.With respect to PHP sessions, this article may be helpful.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
If you have questions about how HTTP Client / Server protocols work in practice, this article should explain many of the important details.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html
HTH, ~Ray
Expert: COANetwork replied at 2024-08-17 11:03:41
session cookie is a special cookie - it keeps track of the current session as relates to the current browser instance. it is sent to the server each time there is a request so that server knows which session the browser instance belongs to. It is the only thing a session cookie is used for, and it's not better or worse than any other cookie - it is just different and highly specialized. You don't really have any control over it (and you don't really need any).
session timeout is a server-side setting (since session lives on your server). cookie expiration is a client-side setting (since cookie lives in your client browser). don't confuse the two. refresh is needed to keep a server session alive, and that session is not aware of any of your cookies or their attributes (including session cookie) until and unless you actually post that info to the server. As soon as a server responds to your request - it immediately forgets you exist, until you post again.
session timeout is a server-side setting (since session lives on your server). cookie expiration is a client-side setting (since cookie lives in your client browser). don't confuse the two. refresh is needed to keep a server session alive, and that session is not aware of any of your cookies or their attributes (including session cookie) until and unless you actually post that info to the server. As soon as a server responds to your request - it immediately forgets you exist, until you post again.
Author: duncanb7 replied at 2024-08-17 10:57:59
For reply question 2, why they don't set it for cookie with life time instead of
refresh session instead ? is it related to security issue and session cookie is better than traditional cookie ?
refresh session instead ? is it related to security issue and session cookie is better than traditional cookie ?
Assisted Solution
Expert: COANetwork replied at 2024-08-17 10:54:41
100 points EXCELLENT
1) httponly = true means this cookie cannot be used on a secure site (one beginning with "https://"). This prevents a malicious user from falsifying login info and setting it in a cookie, for example, but that implies that you have your login page secured. Just an example, there could be various reasons why you want to disallow cookies in HTTPS.
2) refreshing a page keeps the session alive. If application stores information in session variables, then session timing out would lose that info. Usually pages have some question to the user buit into the refresh, like "you have been inactive for a while, do you want to stay logged in?" If user answers yes - page refreshes. if they answer no (or do not answer within some specified period of time) - they are logged out and session is abandoned. Session timeout value is specified at the server level. it can be specified per-server or per-web application (website).
2) refreshing a page keeps the session alive. If application stores information in session variables, then session timing out would lose that info. Usually pages have some question to the user buit into the refresh, like "you have been inactive for a while, do you want to stay logged in?" If user answers yes - page refreshes. if they answer no (or do not answer within some specified period of time) - they are logged out and session is abandoned. Session timeout value is specified at the server level. it can be specified per-server or per-web application (website).
