在java web应用程序中添加用于设置cookie的httponly和secure标志
在java web应用程序中添加用于设置cookie的httponly和secure标志
提问于 2015-12-28 15:31:50
我想为Cookie添加httponly和secure标志。为了实现它,我使用了在web.xml中配置的Filters。
添加标志的代码如下:
package com.crisil.dbconn;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.filters.SecurityWrapperResponse;
public class ClickjackFilter implements Filter
{
private String mode = "DENY";
/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//HttpServletRequest req = (HttpServletRequest)request.getSession();
res.addHeader("X-FRAME-OPTIONS", mode );
res.addHeader("X-Content-Type-OPTIONS", "nosniff" );
res.addHeader("X-XSS-Protection", "1; mode=block" );
res.addHeader("Vary", "*" );
res.addHeader("Expires", "-1" );
res.addHeader("Pragma", "no-cache" );
res.addHeader("Cache-control", "no-cache, no-store,max-age=0, must-revalidate" );
String contextPath = ((HttpServletRequest) request).getContextPath()+"kevalcccc";
((HttpServletResponse)ServletActionContext.getResponse()).setHeader("SET-COOKIE", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path="+contextPath+";Secure;HttpOnly");
// touch the session
// ((HttpServletRequest) request).getSessison();
// System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz");
// overwriting the cookie with Secure attribute set
// ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
////////////
/* Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if (cookies != null)
for (int i = 0; i < cookies.length; i++) {
cookies[i].setValue("");
cookies[i].setPath("/");
cookies[i].setMaxAge(0);
cookies[i].setSecure(true);
res.addCookie(cookies[i]);
}
*/
//////////////
String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse) response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}上面的代码为JSESSIONID cookie添加了httponly和secure标志。然而,在响应头中,我得到了两个cookie。第二个没有设置httponly和secure标志。请参考以下输出:
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162!1451244054765;HttpOnly;
安全
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162;路径=/“
为什么没有为第二个cookie添加httponly和secure标志?
回答 2
Stack Overflow用户
发布于 2015-12-28 16:42:08
设置JSESSIONID是运行web应用程序的任何servlet容器的责任。从过滤器中删除setHeader,然后通过在web.xml中添加以下内容来正确配置web应用程序
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>Stack Overflow用户
发布于 2015-12-28 18:41:53
如果你的self服务器不支持它,你必须自己去做。
一个好的答案可以在:How do you configure HttpOnly cookies in tomcat / java webapps?找到。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/34489406
复制相关文章
相似问题
腾讯云开发者
