Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Does https connection secure cookies and prevents XSS attacks. I have a simple blog that allows users to enter JavaScript code as an input. I want to allow Javascript input by the user while still preventing XSS attacks and cookie stealing. Does https help secure cookies. I only found few sites that talks about this and still a bit unclear.
HTTPS can prevent a man-in-the-middle attack, not XSS. Unfortunately the session cookie is not secure with this alone, one can request a page with HTTP and then the same cookie will be sent unprotected.
To ensure that the session cookie is sent only on HTTPS connections, you can use the function session_set_cookie_params() before starting the session:
Note the first
true, it means that the cookie will be sent only to HTTPS pages. The secondtruetells the browser, that JavaScript must not access the session cookie, it depends on the browser if that is done correctly.Another good way to make your site safer is, to use the session cookie only for maintaining the session, and using a second cookie to take care of the authentication. I can provide an example if you are interested.