在Java Web应用程序中为设置cookie添加httponly和secure标志 [英] adding httponly and secure flag for set cookie in java web application
问题描述
我想为Cookies添加httponly
和secure
标志.为了实现它,我使用在web.xml
中配置的Filters
.
I want to add the httponly
and secure
flags for Cookies. To implement it, I am using Filters
which are configured in web.xml
.
添加标志的代码如下:
package com.crisil.dbconn;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.filters.SecurityWrapperResponse;
public class ClickjackFilter implements Filter
{
private String mode = "DENY";
/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//HttpServletRequest req = (HttpServletRequest)request.getSession();
res.addHeader("X-FRAME-OPTIONS", mode );
res.addHeader("X-Content-Type-OPTIONS", "nosniff" );
res.addHeader("X-XSS-Protection", "1; mode=block" );
res.addHeader("Vary", "*" );
res.addHeader("Expires", "-1" );
res.addHeader("Pragma", "no-cache" );
res.addHeader("Cache-control", "no-cache, no-store,max-age=0, must-revalidate" );
String contextPath = ((HttpServletRequest) request).getContextPath()+"kevalcccc";
((HttpServletResponse)ServletActionContext.getResponse()).setHeader("SET-COOKIE", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path="+contextPath+";Secure;HttpOnly");
// touch the session
// ((HttpServletRequest) request).getSessison();
// System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz");
// overwriting the cookie with Secure attribute set
// ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
////////////
/* Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if (cookies != null)
for (int i = 0; i < cookies.length; i++) {
cookies[i].setValue("");
cookies[i].setPath("/");
cookies[i].setMaxAge(0);
cookies[i].setSecure(true);
res.addCookie(cookies[i]);
}
*/
//////////////
String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse) response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
上面的代码为JSESSIONID cookie添加了httponly
和secure
标志.但是,在响应标题中,我得到了两个cookie.第二个没有设置httponly
和secure
标志.请参考以下输出:
The above code is adding httponly
and secure
flags for the JSESSIONID cookie. However, in the Response Header, I am getting two cookies. The second one does not have httponly
and secure
flags set. Please refer to the below output:
JSESSIONID = 1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162!1451244054765; HttpOnly;安全
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162!1451244054765; HttpOnly;Secure
JSESSIONID = 1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162; 路径=/"
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162; path=/"
为什么没有为第二个cookie添加httponly
和secure
标志?
Why are the httponly
and secure
flags not added for the second cookie?
推荐答案
设置JSESSIONID
是任何正在运行Web应用程序的servlet容器的责任.从过滤器中删除setHeader
,并通过在web.xml
中添加以下内容来正确配置Web应用程序:
Setting the JSESSIONID
is the responsibility of whatever servlet container is running your web application. Remove the setHeader
from your filter, and configure your web application properly by adding the following to your web.xml
:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
这篇关于在Java Web应用程序中为设置cookie添加httponly和secure标志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!