在 Google App Engine 中的会话 cookie 上设置 httpOnly 和安全标志 [英] set httpOnly and secure flags on session cookie in Google App Engine

问题描述

我需要在 Google App Engine 中的会话 cookie 上设置 httpOnly 和安全标志.

I need to set httpOnly and secure flags on session cookie in Google App Engine.

我在 web.xml 中尝试了以下内容:

I tried the following in web.xml:

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>

然而，这没有用.

我也在每个 JSP 的顶部尝试过这个:

I also tried this in the top of every JSP:

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

我怎样才能做到这一点?

How can I achieve this?

推荐答案

我在使用 Google App Engine 时遇到了同样的问题，但我想为所有 cookie 添加 Secure 属性.下面显示了我如何将 Secure 属性添加到所有 cookie.我几乎可以肯定，只需将 Secure 替换为 HttpOnly，此解决方案就可以为您工作.

I had the same problem with Google App Engine, but I wanted to add Secure attribute to all cookies. The following shows how I've added Secure attribute to all cookies. I'm almost sure that this solution will work for you just by substituting Secure with HttpOnly.

我已经实现了一个安全过滤器并映射到我想要设置 Secure 属性的页面.

I've implemented a security filter and made a mapping to the pages that I want the Secure attribute be set.

<filter>
    <filter-name>Security Filter</filter-name>
    <filter-class>common.SecurityFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>Security Filter</filter-name>
    <url-pattern>*.jsf</url-pattern>
</filter-mapping>

我的第一次尝试是将响应包装到我的自定义 HttpServletResponseWrapper 中.一切都很好，除了会话 cookie 没有获得该属性.我调试了一下，发现没有使用我预期的机制添加会话cookie.然后我注意到，在您触摸会话后，会话 cookie 被神奇地添加到响应标头中，例如标题现在包含行 Set-Cookie: JSESSIONID=abcdef;Path=/ 但没有使用我创建的包装器对象添加 cookie.我发现在我触及会话后，我可以使用我想要的属性设置我想要的 cookie.所以解决方法很简单.

My first try was to wrap the response into my custom HttpServletResponseWrapper. All was fine except the session cookie doesn't get the attribute. I debugged around and found that the session cookie is not added using the mechanism I've expected. I've then noticed that after you touch the session the session cookie is magically added to the response headers e.g. the headers now consists the line Set-Cookie: JSESSIONID=abcdef;Path=/ but the cookie wasn't added using the wrapper object that I've created. I've figured out that after I've touched the session I can set the cookie that I want with the attributes that I want. So the workaround was easy.

public class SecurityFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // wrap the response
        response = new SecureCookieSetter((HttpServletResponse)response);

        // touch the session
        (HttpServletRequest)request.getSession();

        // overwriting the cookie with Secure attribute set
        ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
    }
}

public class SecureCookieSetter extends HttpServletResponseWrapper {

    public SecureCookieSetter(HttpServletResponse response) {
        super(response);
    }

    @Override
    public void addCookie(Cookie cookie) {
        cookie.setSecure(true);
        super.addCookie(cookie);
    }

    @Override
    public void addHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\s*Secure"))) {
            value = value + ";Secure";
        }
        super.addHeader(name, value);
    }

    @Override
    public void setHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\s*Secure"))) {
            value = value + ";Secure";
        }
        super.setHeader(name, value);
    }

}

这篇关于在 Google App Engine 中的会话 cookie 上设置 httpOnly 和安全标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！