为什么 document.cookie 不显示站点的所有 cookie?

我去了一个使用 vBulletin 3.8的论坛。当我登录时,我使用 firebug 来查看 Cookie 被设置了什么。我看到这些饼干:

_ _ utmb,_ _ utmc,_ _ utma,_ _ utmz,bbsessionhash,vbseo _ loggedin,bbpassword,bbuserid,bblastactivity,bblastaccess

它们都有一个值集,而且域是相同的。

但当我使用 JavaScript 查看它们时,它只看到这些 cookie:

_ _ utmb,_ _ utmc,_ _ utma,_ _ utmz,vbseo _ loggedin,bblastactivity,bblastaccess

在 firebug 中,我只看到实际设置的三个 cookie: bbsessionhash、 bbpassword 和 bbuserid。列中的 HTTPOnly。这意味着什么? 这就是为什么我无法在 JavaScript 中看到使用 document.cookie的 cookie 的原因吗?

61252 次浏览
小开
最佳答案

From http://en.wikipedia.org/wiki/HTTP_cookie:

Cookies are not directly visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts. The HttpOnly flag is not part of any standard, and is not implemented in all browsers.

Update from 2017: a lot of time had passed since 2009, and HttpOnly header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for "http-only-flag" throughout the RFC text).

There is no way to access anything about the HttpOnly cookies from "non-HTTP" APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.


提交答案