如何为java Web应用程序设置httponly和会话cookie [英] how to set httponly and session cookie for java web application

问题描述

您好我正在研究XSS（跨站点脚本）问题。我的应用程序在oracle weblogic门户上开发。我们使用Servlet 2.5版本。

Hi I am working on XSS(cross site scripting) issue. my application develop on oracle weblogic portal. we use Servlet 2.5 version.

我在过滤器中添加了以下3行代码，用于设置httponly和安全cookie。
并且工作正常。

I have added below 3 lines of code in the filter for setting httponly and secure cookies. and it is working fine.

String sessionid = req.getSession().getId();
res.setHeader("Set-Cookie", "JSESSIONID=" +  sessionid + ";HttpOnly");
res.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

问题是我在同一个浏览器中注销并立即登录时我可以登录但之后在jsp页面上我遇到会话超时问题。我们使用weblogic相关的apis。 request.getuserprinical（）api返回null ..猜它设置为null。

The issue is when I logout and login immediately in the same browser I am able to login but after that on the jsp pages I am getting session timeout issue. we use weblogic related apis. request.getuserprinical() api is returning null.. guess it is setting to null.

任何想法请分享。

如果有任何其他方式设置httponly或安全标志请帮助。

if there are any other ways to set httponly or secure flag please help.

推荐答案

取决于您网络的具体情况容器，在应用程序中修改容器管理的会话cookie可能导致应用服务器抛出现有会话并创建一个新会话。我在Tomcat上观察到了这一点，但对于Weblogic来说可能类似。

Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.

如果您正在使用Servlets 3.0，您实际上可以指示应用服务器使用以下片段确保所有会话cookie都是HttpOnly和Secure：

If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

这比使用过滤器手动黑客攻击更好。

This is a better approach than manually hacking on the cookies with a filter.

仅供参考：我还写了一个 Java库，它注入了一个基于Servlet的应用程序中与安全相关的响应头数。

FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.

这篇关于如何为java Web应用程序设置httponly和会话cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！