Java HttpOnly标志 [英] Java HttpOnly Flag

问题描述

我使用Servlet 3.0，我想使用HttpOnly标志来保护我的Cookie。我的web.xml是

I used Servlet 3.0 and I want secure my cookies with HttpOnly flag. my web.xml is

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee" 
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         id="WebApp_ID" version="3.0">


    <session-config>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

</web-app>

而我的Servlet是

and my Servlet is

response.setContentType("application/json");
PrintWriter pw = response.getWriter();

Cookie cookie = new Cookie("url", "google.com");
cookie.setMaxAge(60 * 60); //1 hour
response.addCookie(cookie);

pw.println("Cookies created");

my context.xml

my context.xml is

<Context cookies="true" crossContext="true" useHttpOnly="true">
    <SessionCookie httpOnly="true"/>    
</Context>

但我可以从Javascript读取Cookie。可以有人帮助我吗？

but I can read cookies from Javascript . Can anybody help me?

推荐答案

web.xml仅配置session-cookie。

The web.xml only configures the session-cookie.

您应该添加

cookie.setHttpOnly(true);

到您的Servlet。

to your Servlet.

这篇关于Java HttpOnly标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！