php通过header设置cookie的安全

代码如下

 

 

define('COOKIES_PATH', '/');
define('COOKIES_EXPIRES',gmstrftime("%A, %d-%b-%Y %H:%M:%S GMT",time()+9600));

 

header("Set-Cookie:user[userid]=123;path =".COOKIES_PATH.";httpOnly;SameSite=Strict;expires=".COOKIES_EXPIRES.";",false);
header("Set-Cookie:user[username]=123;path =".COOKIES_PATH.";httpOnly;SameSite=Strict;expires=".COOKIES_EXPIRES.";",false);
header("Set-Cookie:user[password]=123;path =".COOKIES_PATH.";httpOnly;SameSite=Strict;expires=".COOKIES_EXPIRES.";",false);

 

 

header("Set-Cookie:admin[username]='';path =".COOKIES_PATH.";expires=".gmdate('D, d M Y H:i:s GMT', time()-1).";",false);
header("Set-Cookie:admin[password]='';path =".COOKIES_PATH.";expires=".gmdate('D, d M Y H:i:s GMT', time()-1).";",false);

 

可以通过设置httpOnly;和SameSite=Strict;对cookie进行禁止JS读取和禁止跨域读取.达到基础性的XSS和CSRF防护.