如何在tomcat / java webapps中配置HttpOnly Cookie？ [英] How do you configure HttpOnly cookies in tomcat / java webapps?

问题描述

在阅读Jeff的博文后，保护您的Cookie：HttpOnly 。我想在我的网络应用程序中实现HttpOnly Cookie。

如何告诉tomcat为会话使用http only cookies？

查看

href =http://tomcat.apache.org/tomcat-6.0-doc/changelog.html =nofollow noreferrer> changelog 条目，用于错误44382.

错误 44382 的最后一条评论是这已经应用到5.5.x并将包括在5.5.28起。

conf / context.xml中的所有webapps都可以启用httpOnly功能：

 < Context useHttpOnly =true> 
 ... 
< / Context> 
  

我的解释是，它也适用于单个上下文，通过将其设置在期望的 conf / server.xml 中的上下文 条目（与上述相同）。

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application.

How do you tell tomcat to use http only cookies for sessions?

解决方案

httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.

See the changelog entry for bug 44382.

The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.

The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).

这篇关于如何在tomcat / java webapps中配置HttpOnly Cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！