问题
I am using Android's CookieManager to set a cookie in webview which acutally contains user id. I want to make this cookie secure to avoid any impersonation attacks. How can i make it as secure cookie since CookieManager supports only basic string key value pairs.
Also will the cookie be secure if the connection is through HTTPS Protocol ?
回答1:
Not sure what you are doing, but cookies are set at the server. Thus you cannot make it secure on your side only. If you want to make sure your cookie remains a secret, use HTTPS for all operations that involve that cookie, and have the server set the cookie 'secure' flag, so that it is only sent over HTTPS.
回答2:
You can also set cookie attributes while setting cookie
For example:
CookieManager.getInstance().setCookie(url,"USERID=ADADASD; secure ");.
来源:https://stackoverflow.com/questions/10270273/how-to-secure-a-cookie-in-android