Java开发 | 安全篇 Cookie设置secure属性
Java开发 | 安全篇 Cookie设置secure属性
https://blog.csdn.net/Michael_HM/article/details/79074764?utm_source=blogxgwz2https://coder-programming.blog.csdn.net/article/details/79074644?spm=1001.2101.3001.6650.6&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-6.queryctrv2&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-6.queryctrv2&utm_relevant_index=13
view plain copy
- public class CookieFilter implements Filter {
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
-
- Cookie[] cookies = req.getCookies();
-
- if (cookies != null) {
- Cookie cookie = cookies[0];
- if (cookie != null) {
- /*cookie.setMaxAge(3600);
- cookie.setSecure(true);
- resp.addCookie(cookie);*/
-
- //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
- String value = cookie.getValue();
- StringBuilder builder = new StringBuilder();
- builder.append("JSESSIONID=" + value + "; ");
- builder.append("Secure; ");
- builder.append("HttpOnly; ");
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.HOUR, 1);
- Date date = cal.getTime();
- Locale locale = Locale.CHINA;
- SimpleDateFormat sdf =
- new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
- builder.append("Expires=" + sdf.format(date));
- resp.setHeader("Set-Cookie", builder.toString());
- }
- }
- chain.doFilter(req, resp);
- }
-
- public void destroy() {
- }
-
- public void init(FilterConfig arg0) throws ServletException {
- }
- }
此段代码摘自 CookieFilter 这样我们吧所有的cookie都添加上了HttpOnly属性。
注:需要servlet3.0支持、Tomcat7木有问题。查看servlet的版本方法:
知道到Tomcat/lib 文件夹下servlet-api.jar 将其解压、然后打开servlet-api\META-INF\MANIFEST.MF文件(Editplus/NotePad++等工具都行)、
[plain] view plain copy
- Manifest-Version: 1.0
- Ant-Version: Apache Ant 1.9.3
- Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
- X-Compile-Source-JDK: 1.6
- X-Compile-Target-JDK: 1.6
-
- Name: javax/servlet/
- Specification-Title: Java API for Servlets
- Specification-Version: 3.0
- Specification-Vendor: Sun Microsystems, Inc.
- Implementation-Title: javax.servlet
- Implementation-Version: 3.0.FR
- Implementation-Vendor: Apache Software Foundation
红色字体就是servlet版本。 参考资料: 查看servlet/jsp版本
这种配置拦截器通过response给cookie添加HttpOnly属性、在某种情况下并太不合理、而且可能对项目有写影响、我的项目在这么做之后再Google浏览器没有问题,但在FF和IE上、发现了问题。我们项目页面用了tiles框架布局,在LoginAction登录返回到struts result配置跳转到tiles、teles再自己发送请求加载数据、问题就出现在这里、此时发送的请求与之前发送的请求现在为不同session、导致出错。屏蔽CookieFiter后没问题、因此猜想是因为HttpOnly属性的影响使session改变了。
Tomcat5.5官方文档
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.
- public class CookieFilter implements Filter {
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
- Cookie[] cookies = req.getCookies();
- if (cookies != null) {
- Cookie cookie = cookies[0];
- if (cookie != null) {
- /*cookie.setMaxAge(3600);
- cookie.setSecure(true);
- resp.addCookie(cookie);*/
- //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
- String value = cookie.getValue();
- StringBuilder builder = new StringBuilder();
- builder.append("JSESSIONID=" + value + "; ");
- builder.append("Secure; ");
- builder.append("HttpOnly; ");
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.HOUR, 1);
- Date date = cal.getTime();
- Locale locale = Locale.CHINA;
- SimpleDateFormat sdf =
- new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
- builder.append("Expires=" + sdf.format(date));
- resp.setHeader("Set-Cookie", builder.toString());
- }
- }
- chain.doFilter(req, resp);
- }
- public void destroy() {
- }
- public void init(FilterConfig arg0) throws ServletException {
- }
- }
- Manifest-Version: 1.0
- Ant-Version: Apache Ant 1.9.3
- Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
- X-Compile-Source-JDK: 1.6
- X-Compile-Target-JDK: 1.6
- Name: javax/servlet/
- Specification-Title: Java API for Servlets
- Specification-Version: 3.0
- Specification-Vendor: Sun Microsystems, Inc.
- Implementation-Title: javax.servlet
- Implementation-Version: 3.0.FR
- Implementation-Vendor: Apache Software Foundation
Tomcat5.5官方文档
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.
Tomcat6官方文档
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.
Tomcat7官方文档
useHttpOnlyShould the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.
从文档来看tomcat6及5.5useHttpOnly 默认是false、7则是默认true
修改tomcat/conf/context.xml [plain] view plain copy-
30 -
-
true
- connectionTimeout="20000"
- redirectPort="8443" secure="true" />