问题
do you know of any way to get access to HttpOnly cookies using javascript. I know that the point of those cookies is that you won't be able to get them this way (for security reasons). But still, is there absolutely now way to achieve this? Hasn't some hacker around the world found a way to achieve this? I really need to get those cookies through javascript (not any other means). If you know how, it would be very helpful. Thank you.
回答1:
From javascript only the encrypted version of the HttpOnly-cookies are available, and since the key is generated uniquely for each computer, the cookies cannot be used (unless cracked) on other computers.
回答2:
No, if there were a way, it would be browser-specific, and probably be patched really soon. What you're looking for is a security hole, and won't last long once it's been discovered.
回答3:
Its possible through applet or npapi plugin
Request the server for a connection,it will response with httpOnly cookie
Pass it to JavaScript from applet
Its a security hole that's why chrome and Firefox going to stop npapi support
回答4:
I found a way to access an HTML-only cookie. Get the EditTThisCookie extension, then open the page you want. Click on the extension at the top (aka cookie) look for the cookie you want, click on it, then un-check the http only button, it is now accessible by document.cookie.
来源:https://stackoverflow.com/questions/11596485/get-httponly-cookies-with-javascript