我有一个需要在 Javascript 中读取的 cookie,因此我需要从中删除 cookie 的 httponly 部分。
这是我需要修改的 cookie:
Set-Cookie: wordpress_c3d46b752402579c18e981091b8c940c=admin%7C1463963639%7CWsIehTVJh4%7C7ee6e8117b6b; expires=Mon, 23-May-2016 12:33:59 GMT; Max-Age=1252800; path=/wp-content/plugins; domain=.example.org; HttpOnly
我只需要删除 cookie 末尾的 HttpOnly 字符串
附言:我知道我在这里引入了一个潜在的安全问题。
答案1
有一些 Nginx Lua 模块和代码片段可以做到这一点,例如:
https://github.com/cloudflare/lua-resty-cookie
首先抓取 cookie:
syntax: cookie_val, err = cookie_obj:get(cookie_name)
然后您可以将其设置为 httponly false:
syntax: ok, err = cookie_obj:set({
key = "Name",
value = "Bob",
path = "/",
domain = "example.com",
secure = true, httponly = false,
expires = "Wed, 09 Jun 2021 10:18:14 GMT",
max_age = 50,
extension = "a4334aebaec"
})
答案2
使用 Lua 可以实现这一点:
nginx.conf:
location /foo {
internal;
#Do normal stuff that you will do in this location
}
location /bar {
content_by_lua_block {
response = ngx.location.capture("/foo")
for cookieName, cookie in pairs(response.header["Set-Cookie"]) do
#Modify cookie as needed
end
}
}