我想为Cookie添加httponly和secure标记。要实现它,我使用Filters中配置的web.xml。
添加标志的代码如下:
package com.crisil.dbconn;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.filters.SecurityWrapperResponse;
public class ClickjackFilter implements Filter
{
private String mode = "DENY";
/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//HttpServletRequest req = (HttpServletRequest)request.getSession();
res.addHeader("X-FRAME-OPTIONS", mode );
res.addHeader("X-Content-Type-OPTIONS", "nosniff" );
res.addHeader("X-XSS-Protection", "1; mode=block" );
res.addHeader("Vary", "*" );
res.addHeader("Expires", "-1" );
res.addHeader("Pragma", "no-cache" );
res.addHeader("Cache-control", "no-cache, no-store,max-age=0, must-revalidate" );
String contextPath = ((HttpServletRequest) request).getContextPath()+"kevalcccc";
((HttpServletResponse)ServletActionContext.getResponse()).setHeader("SET-COOKIE", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path="+contextPath+";Secure;HttpOnly");
// touch the session
// ((HttpServletRequest) request).getSessison();
// System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz");
// overwriting the cookie with Secure attribute set
// ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
////////////
/* Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if (cookies != null)
for (int i = 0; i < cookies.length; i++) {
cookies[i].setValue("");
cookies[i].setPath("/");
cookies[i].setMaxAge(0);
cookies[i].setSecure(true);
res.addCookie(cookies[i]);
}
*/
//////////////
String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse) response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
上面的代码是为JSESSIONID cookie添加httponly和secure标志。但是,在响应标题中,我得到两个cookie。第二个没有设置httponly和secure标志。请参考以下输出:
JSESSIONID = 1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43 1248935162 1451244054765;! HttpOnly;安全
JSESSIONID = 1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43 1248935162!; 路径= /“
为什么没有为第二个Cookie添加httponly和secure标记?
答案 0 :(得分:1)
设置JSESSIONID是运行Web应用程序的servlet容器的责任。从过滤器中移除setHeader,并通过将以下内容添加到web.xml来正确配置您的Web应用程序:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
答案 1 :(得分:0)
如果您的网络服务器不支持,您必须自己动手。
可以在How do you configure HttpOnly cookies in tomcat / java webapps?
找到一个好的答案答案 2 :(得分:0)
HttpSession session = request.getSession(true);
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setSecure(true);
cookie.setHttpOnly(true);