我想在我的应用程序Web服务器端设置响应标头以制作我的cookie" httponly"并且"安全"。
可以指导我如何实现这一点。 如果我们进行这些更改,是否会对在HTTPS上运行的应用程序产生任何影响。
答案 0 :(得分:1)
IHS(基于Apache)httpd.conf
<Location /your-app>
SetHandler server-status
Order deny,allow
Allow from all
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</Location>
其中/ your-app - 应用的上下文根
WAS:
Servers > Server Types > WebSphere application servers > YOUR-APP > Web Container Settings > Web container: Custom Properties> New
Name: com.ibm.ws.webcontainer.HTTPOnlyCookies;
Value: JsessionID
Servers > Server Types > WebSphere application servers > YOUR-APP > Session management > Enable Cookies link. Requires use of SSL protocol.
您的应用程序可能存在一些问题(取决于它的开发方式)
示例:
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
# Add an "Allow from" directive to provide access to the server status page.
#
# Examples:
#
# 1. Allow any client with hostname *.example.com to view the page.
#
# Allow from .example.com
#
# 2. Allow the local machine to view the page using the loopback address.
#
# Allow from 127.0.0.1
#
# 3. Allow any machine on the local network to view the page.
#
# Allow from 192.168.1
</Location>
</IfModule>
...
##### NON-DEFAULT #####
<Location /xxx>
SetHandler server-status
Order deny,allow
Allow from all
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</Location>
<VirtualHost *:80>
</VirtualHost>
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
Listen 4469
<VirtualHost *:443 *:4469>
SSLEnable
Keyfile /root/keys/web1-key-db.kdb
SSLStashfile /root/keys/web1-key-db.sth
</VirtualHost>
#####/NON-DEFAULT #####
...