我一直收到警报“没有HttpOnly Flag的Cookie设置”我查找了不同的来源,但似乎没有给我一个明确的答案。以下是我的代码:
<html>
<?php
session_set_cookie_params
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
header ("X-Frame-Options: DENY");
header('X-Content-Type-Options: nosniff');
?>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>User Authenticate </title>
</head>
<body>
<?php
// Retrieve Post Data
$username = $_POST["username"];
$email = $_POST["emailadd"];
// Set the session information
session_start();
$_SESSION['appusername'] = $username;
$_SESSION['appemail'] = $email;
$newusername = filter_var($username, FILTER_SANITIZE_STRING);
if (!filter_var($email, FILTER_VALIDATE_EMAIL) ===false) {
echo "<h3> Session Data </h3>";
echo "<table border='1'>";
echo "<tr>
<td>Username </td>
<td> Email </td>
</tr>";
echo "<tr>
<td>" . $_SESSION['appusername'] . "</td>";
echo "<td>" . $_SESSION['appemail']. "</td>";
echo "</tr>";
echo "</table>";
// Provide a button to logout
echo "<form name='logout' method='post' action='logout.php'>
<input name='btnsubmit' type='submit' value='Logout'>
</form>";
} else {
echo("$email is not a valid email address");
}
?>
</body>
</html>
我尝试添加“标题始终编辑Set-Cookie(。*)”$ 1; HTTPOnly“”但这只是使我的页面无法加载。我正在使用ZAP漏洞工具来查找网页上可能存在的漏洞。任何帮助将不胜感激。