最近,IBM Security AppScan发现了一个缺少加密会话(ssl)cookie中的安全属性的问题。报告如下:
此应用程序是Java代码,我添加了一个过滤器来设置所有cookie安全,代码:
public class BasicFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
Cookie[] cookies = req.getCookies();
HttpServletResponse resp = (HttpServletResponse) servletResponse;
if( cookies != null && cookies.length > 0) {
for (int i = 0; i < cookies.length; i++) {
cookies[i].setSecure(true);
cookies[i].setHttpOnly(true);
resp.addCookie(cookies[i]);
}
}
filterChain.doFilter(req,resp);
}
@Override
public void destroy() {
}
}
它可以正常运行,而所有Cookie都会响应两次,它会尝试反复登录(使用 SSO 登录):
感谢您的帮助,我该怎么做才能实现安全和解决cookie问题,希望你们能给我一些解决这个问题的想法。 谢谢!
答案 0 :(得分:0)