解决"在加密会话(ssl)cookie中缺少安全属性"使用Java

时间:2018-06-06 09:40:58

标签: java security cookies bluemix-app-scan

最近,IBM Security AppScan发现了一个缺少加密会话(ssl)cookie中的安全属性的问题。报告如下:

enter image description here

此应用程序是Java代码,我添加了一个过滤器来设置所有cookie安全,代码:

public class BasicFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) servletRequest;
    Cookie[] cookies = req.getCookies();
    HttpServletResponse resp = (HttpServletResponse) servletResponse;
    if( cookies != null && cookies.length > 0) {
        for (int i = 0; i < cookies.length; i++) {
            cookies[i].setSecure(true);
            cookies[i].setHttpOnly(true);
            resp.addCookie(cookies[i]);
        }
    }
    filterChain.doFilter(req,resp);
}

@Override
public void destroy() {

}

}

它可以正常运行,而所有Cookie都会响应两次,它会尝试反复登录(使用 SSO 登录):

enter image description here

感谢您的帮助,我该怎么做才能实现安全和解决cookie问题,希望你们能给我一些解决这个问题的想法。 谢谢!

1 个答案:

答案 0 :(得分:0)