[已解决]设置Cookie SameSite = None在Chrome / JSP,JAVASCRIPT上不起作用
我正在开发JSP(tomcat6)应用程序。 (域不同)
我正在尝试将相同站点属性设置为None,因为由于chrome浏览器的新版本,cookies在2分钟后消失了。 (修复程序的发布日期为2020年2月4日,每发布日期:https://www.chromium.org/updates/same-site)
我试图通过以下方式解决问题,但仍然无法正常工作
-
response.setHeader("Set-Cookie", "user=test;HttpOnly;Secure;SameSite=None"); -
response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None"); -
document.cookie = "witcher=Geralt; HttpOnly; SameSite=None; Secure"; -
<iframe src="https://service3.smartcapsule.jp/disp/ONECLICKCOMM.do"></iframe> -
By using Pop-up windows
代码在这里
document.form1.division2.value = 1;
document.form1.division3.value = 1;
document.form1.division4.value = 1;
document.form1.pan.value = 4322423434232342;
document.form1.expiryDate.value = 0222;
document.form1.jspName.value = 'index.jsp';
document.form1.method = "post";
document.cookie = "HttpOnly; SameSite=None; Secure";
document.form1.action = http://service3.smartcapsule.jp/disp/ONECLICKCOMM.do;
标题在这里
<html><body>
host=localhost:8080<br>
connection=keep-alive<br>
content-length=90<br>
cache-control=max-age=0<br>
origin=http://localhost:8080<br>
upgrade-insecure-requests=1<br>
dnt=1<br>
content-type=application/x-www-form-urlencoded<br>
user-agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4252.0 Safari/537.36<br>
accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br>
sec-fetch-site=same-origin<br>
sec-fetch-mode=navigate<br>
sec-fetch-user=?1<br>
sec-fetch-dest=document<br>
accept-encoding=gzip, deflate, br<br>
accept-language=en,q=0.9,q=0.8,ko;q=0.7,ja;q=0.6,q=0.5<br>
cookie=SameSite=None; Secure; aspGroupId=00000000; _ga=GA1.1.371271115.1600306707; _gid=GA1.1.1473986481.1600822923; JSESSIONID=15BA5A77A80B2C93969A44FE9371B135; _gat_UA-71516129-3=1; _token=8b234c913616b70c05100bb7fc141a33; _gat=1; arp_scroll_position=2986.363525390625<br>
</body></html>
-------------------------------------------------------------------------------------------
<html><body>
host=localhost:8080<br>
connection=keep-alive<br>
content-length=384<br>
cache-control=max-age=0<br>
origin=null<br>
upgrade-insecure-requests=1<br>
dnt=1<br>
content-type=application/x-www-form-urlencoded<br>
user-agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4252.0 Safari/537.36<br>
accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br>
sec-fetch-site=cross-site<br>
sec-fetch-mode=navigate<br>
sec-fetch-dest=document<br>
accept-encoding=gzip, deflate, br<br>
accept-language=en,q=0.9,q=0.8,ko;q=0.7,ja;q=0.6,q=0.5<br>
</body></html>
如果我不更改浏览器属性,应该如何解决?
disable 「SameSite by default cookies」 in chrome://flags
“ 20200924”我尝试了以下操作,但cookie仍然丢失了
Cookies.set('name', 'value', {
sameSite: 'none',
secure: true
})
response.setHeader("Set-Cookie", "user=mcmd;HttpOnly;Secure;SameSite=None");
document.cookie = "witcher=Geralt; SameSite=None; Secure";
public void doGet( HttpServletRequest request, HttpServletResponse response ) throws ServletException,IOException {
response.setContentType("text/html;charset=Windows-31J");
PrintWriter out = response.getWriter();
out.println("<html><body>");
Enumeration e = request.getHeaderNames();
while( e.hasMoreElements() ) {
String name = ( String )e.nextElement();
out.println( name + "=" + request.getHeader( name ) + "<br>");
}
out.println("</body></html>");
}
document.cookie = "<%= s_cookies %>";
document.cookie = "witcher=Geralt; SameSite=None; Secure";
res.setHeader("Set-Cookie", "user=mcmd;HttpOnly;Secure;SameSite=None");
res.setHeader("Access-Control-Allow-Origin","*");
res.setHeader("Access-Control-Allow-Credentials","true");
crossDomain=true; withCredentials=true;Authorization; Max-Age=60*60*3600
<iframe src="https://service3.smartcapsule.jp/disp/ONECLICKCOMM.do"></iframe>
<script
src="https://code.jquery.com/jquery-3.4.1.min.js"
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
crossorigin="anonymous">
</script>
<script>
const apexUrl = 'localhost:8080';
const forwardUrl = 'https://localhost:8080';
alert(window.location.host);
if (window.location.host === apexUrl) {
window.location.host = forwardUrl;
}
</script>
Google reCAPTCHA
我尝试过Ajax的``20201001'',但cookie仍然丢失了...
「20201012」已解决
最后,一切都顺利完成了
Java代码在这里
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
@SuppressWarnings({"unused"})
public class CSRFCookieFilter implements Filter {
public CSRFCookieFilter() {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
try {
HttpServletRequest httpServletRequest = (HttpServletRequest)request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
printCookie("OLD_COOKIES",httpServletRequest);
ModifyHttpServletRequestWrapper mParametersWrapperRequest = new ModifyHttpServletRequestWrapper(httpServletRequest);
Cookie[] cookies = mParametersWrapperRequest.getCookies();
if (null != cookies) {
for (Cookie cookie : cookies) {
if (!isCookieNullOrEmpty(cookie)) {
if(!cookie.getValue().contains(COOKIE_PARA_LIST[2])) {
cookie.setSecure(true);
mParametersWrapperRequest.putCookie(cookie.getName(), cookie.getValue() + COOKIE_PARA_LIST[1]);
httpServletResponse.addHeader("Set-Cookie", addCookieHeader(httpServletResponse, cookie, true));
}
}
}
}
httpServletResponse.addHeader("Access-Control-Allow-Origin","*");
httpServletResponse.addHeader("Access-Control-Allow-Credentials","true");
printCookie("NEW_COOKIES",mParametersWrapperRequest);
chain.doFilter(mParametersWrapperRequest, httpServletResponse);
} catch (Throwable e) {
System.out.println("CSRFCookieFilter Throwable "+e.getMessage());
e.printStackTrace();
}
}
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("---------------------------------------->CSRFCookieFilter init():" + filterConfig.toString());
}
public static void clear() {
System.out.println("---------------------------------------->CSRFCookieFilter clear()");
}
public void init() {
System.out.println("---------------------------------------->CSRFCookieFilter init()");
}
public void destroy() {
System.out.println("---------------------------------------->CSRFCookieFilter destroy()");
}
/**********************************************************************************************************************/
private class ModifyHttpServletRequestWrapper extends HttpServletRequestWrapper {
private Map<String, String> mapCookies;
ModifyHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.mapCookies = new HashMap<>();
}
void putCookie(String name, String value) {
this.mapCookies.put(name, value);
}
String covertResponseCookies(String add_properties){
String ret = "";
for (Map.Entry<String, String> entry : this.mapCookies.entrySet()) {
String tmp = entry.getKey() + "=" + entry.getValue() + add_properties;
println(tmp);
ret = ret + tmp;
}
return ret;
}
@Override
public Cookie[] getCookies() {
HttpServletRequest request = (HttpServletRequest) getRequest();
Cookie[] cookies = request.getCookies();
if (mapCookies == null || mapCookies.isEmpty()) {
return cookies;
}
if (cookies == null || cookies.length == 0) {
List<Cookie> cookieList = new LinkedList<>();
for (Map.Entry<String, String> entry : mapCookies.entrySet()) {
String key = entry.getKey();
if (key != null && !"".equals(key)) {
cookieList.add(new Cookie(key, entry.getValue()));
}
}
if (cookieList.isEmpty()) {
return cookies;
}
return cookieList.toArray(new Cookie[cookieList.size()]);
} else {
List<Cookie> cookieList = new ArrayList<>(Arrays.asList(cookies));
for (Map.Entry<String, String> entry : mapCookies.entrySet()) {
String key = entry.getKey();
if (key != null && !"".equals(key)) {
for (int i = 0; i < cookieList.size(); i++) {
if (cookieList.get(i).getName().equals(key)) {
cookieList.remove(i);
}
}
cookieList.add(new Cookie(key, entry.getValue()));
}
}
return cookieList.toArray(new Cookie[cookieList.size()]);
}
}
}
public String addCookieHeader(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) {
String name = cookie.getName();
String value = cookie.getValue();
int maxAge = cookie.getMaxAge();
String path = cookie.getPath();
String domain = cookie.getDomain();
boolean isSecure = cookie.getSecure();
StringBuilder buffer = new StringBuilder();
buffer.append(name).append("=").append(value).append(";");
if (0 == maxAge) {
buffer.append("Expires=" + getExpiresDate() + ";");
} else if (0 < maxAge) {
buffer.append("Max-Age=").append(maxAge).append(";");
}
if (null != domain) {
buffer.append("domain=").append(domain).append(";");
}
if (null != path) {
buffer.append("path=").append(path).append(";");
}
if (isSecure) {
buffer.append("secure;");
}
if (isHttpOnly) {
buffer.append("HTTPOnly;");
}
buffer.append("SameSite=None;");
return buffer.toString();
}
/**********************************************************************************************************************/
private static boolean DEBUG_MODE = false;
private static void println(String args){
if (DEBUG_MODE) System.out.println(args);
}
public static void printCookie(String targetHeader,HttpServletRequest req){
if (!DEBUG_MODE) {
return;
}
println("-----------------" + targetHeader + "-----------------------------");
Cookie[] cookies = req.getCookies();
if (null != cookies) {
for (Cookie cookie : cookies) {
println( cookie.getName() + ":" + cookie.getValue());
}
}
println("-----------------" + targetHeader + "-----------------------------");
}
/**********************************************************************************************************************/
private String getExpiresDate(){
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss", locale);
return sdf.format(date);
}
public static boolean isCookieNullOrEmpty(Cookie cookie) {
return null == cookie || null == cookie.getValue() || cookie.getValue().isEmpty();
}
static String[] COOKIE_PARA_LIST = {
";user=mcmd;Secure;HttpOnly;SameSite=None;"
, ";Secure;HttpOnly;SameSite=None;"
, "SameSite=None"
};
/**
* document.cookie = "name=huang; secure";
*/
public static Map<String,String> resetDocumentCookieSet(HttpServletRequest req,String param_amend_ment) {
Map<String,String> requestMap = new HashMap<String,String>();
Cookie[] cookies = req.getCookies();
if (null != cookies) {
for (Cookie cookie : cookies) {
if (!isCookieNullOrEmpty(cookie)) {
if(!cookie.getValue().contains(COOKIE_PARA_LIST[2])) {
requestMap.put(cookie.getName() + "=" + cookie.getValue(), param_amend_ment);
}
}
}
}
return requestMap;
}
/**********************************************************************************************************************/
}
JSP代码在这里
<%
Map requestMap = CSRFCookieFilter.resetDocumentCookieSet(request,";Secure;HttpOnly;SameSite=None;");
Set keys = requestMap.entrySet();
Iterator it = keys.iterator();
while (it.hasNext()) {
Map.Entry entry = (Map.Entry)it.next();
String new_cookies = ((String)entry.getKey()) + ((String)requestMap.get((String)entry.getKey()));
%>
document.cookie = "<%= new_cookies %>";
<%
}
%>
web.xml在这里
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
1 个答案:
答案 0 :(得分:0)
请参阅「20201012」的解决方法
CSRFCookieFilter
相关问题
- 配置“ /; SameSite = None; Secure” Cookie Javascript
- Php:为Cookie属性SameSite = None设置标头; Secure根本不起作用
- ASP.Net无法使用SameSite = None设置cookie
- 不会从Chrome 80中设置samesite = none和secure = true的Cookie吗?
- 如何使用SameSite None和Secure正确设置跨域Cookie?
- 在Java中将“ SameSite = None”设置为cookie
- 将“ DefaultCookieSerializer”注释为“ @Component”时,将“ SameSite” cookie值设置为“ none”不起作用
- 会话cookie集`SameSite = None;安全;`不起作用
- [已解决]设置Cookie SameSite = None在Chrome / JSP,JAVASCRIPT上不起作用
- 在Superset中将Samesite cookie设置为None
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?