安全和HttpOnly标志为会话cookie Websphere 7 [英] Secure and HttpOnly flags for session cookie Websphere 7
问题描述
在Servlet 3.0投诉应用程序服务器中,我可以通过在web.xml中添加以下内容来为会话cookie(JSESSIONID)设置HttpOnly和安全标志:
< session-config>
< cookie-config>
< secure> true< / secure>
< http-only> true< / http-only>
< / cookie-config>
< / session-config>
但是,我正在开发的应用程序将部署在Websphere 7,即Servlet 2.5如果我将上述内容添加到web.xml中,则无法启动。
在Websphere 7配置中是否有其他声明方式或设置,以打开HttpOnly会话cookie的标志?
如果没有,最好的方法是用程序化的方式完成?
我认为在WebSphere 7中你可能需要深入到管理控制台。一如既往的WebSphere文档似乎不太好,但似乎建议设置 com.ibm.ws.security.addHttpOnlyAttributeToCookies 属性:
和HTTPOnly标志通过设置WebSphere Application Server属性启用:
com.ibm.ws.security.addHttpOnlyAttributeToCookies。
我找到此,我希望它适用于WAS7。你可以试试(我现在在我的系统上只有WAS 8):
JSESSIONID cookie: / em> 可以在WebSphere Application Server
管理界面中通过选择AppServer - > [服务器名称] - > Web
容器设置 - >会话管理来设置。选中
将Cookie限制为HTTPS会话复选框。
HTTPOnly旗标:
目前无法在此Cookie上设定HTTPOnly属性。这个
在IBM网站上注册为APAR PK98436。此APAR
的修订程序当前定位为包含在尚不可用的Fix Pack 6.1.0.31和7.0.0.9,
中。通过此APAR,HTTPOnly
标志可以通过属性名称在JSESSIONID cookie上设置:
com.ibm.ws.webcontainer.httpOnlyCookies。有关启用WebContainer自定义属性的说明,请参阅以下
技术说明。
com.ibm.ws.webcontainer。 httpOnlyCookies 属性记录在WAS 7帮助网站上。
In Servlet 3.0 complaint application servers I can set the HttpOnly and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:
<session-config>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
However, the application I'm working on is to be deployed in Websphere 7, which is Servlet 2.5 complaint and it fails to start if I add the above to the web.xml
Is there any other declarative way or setting in Websphere 7 configuration to turn on the HttpOnly and secure flags for the session cookie?
If not, what would be the best approach to accomplish that programmatically?
I think in WebSphere 7 you may have to delve into the administrative console. As ever the WebSphere documentation seems poor but seems to suggest setting the com.ibm.ws.security.addHttpOnlyAttributeToCookies property:
Both the Secure flag and the HTTPOnly flag are enabled by setting the WebSphere Application Server property:
com.ibm.ws.security.addHttpOnlyAttributeToCookies.
I found this, which I hope is applicable to WAS7. Can you try please (I only have WAS 8 at the moment on my system):
JSESSIONID cookie:
Secure Flag:
The Secure flag can be set within the WebSphere Application Server administrative interface by selecting AppServer->[Server Name]->Web Container Settings->Session Management. Check the checkbox for "Restrict cookies to HTTPS Sessions".
HTTPOnly Flag:
The HTTPOnly attribute cannot currently be set on this cookie. This is registered on the IBM site as APAR PK98436. The fix for this APAR is currently targeted for inclusion in Fix Packs 6.1.0.31 and 7.0.0.9, which are not yet available. With this APAR in place, the HTTPOnly flag can be set on the JSESSIONID cookie by way of the property name: com.ibm.ws.webcontainer.httpOnlyCookies. Refer to the following technote for instructions on enabling WebContainer custom properties.
The com.ibm.ws.webcontainer.httpOnlyCookies property is documented on the WAS 7 help site.
这篇关于安全和HttpOnly标志为会话cookie Websphere 7的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
