httpOnly会话Cookie + Servlet 3.0(例如Glassfish v3) [英] httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)
问题描述
request.getSession()
)创建。 我知道,有一个方法 javax.servlet.SessionCookieConfig.setHttpOnly()
,但我不确定,如果这是最好的这样做的方式,如果是的话,最好的地方将放在那里。
顺便说一下,不能 (例如在init()中):
java.lang.IllegalStateException:PWC1426:
无法为
servlet context / ...配置httpOnly会话跟踪cookie属性,因为此servlet上下文已经初始化
一般来说,我宁愿使用配置选项,例如在web.xml中。
这是通过Servlet 3.0 web.xml
(请参阅 web-common_3_0.xsd
):
< web-app>
< session-config>
< cookie-config>
<! -
指定此Web应用程序创建
的任何会话跟踪cookie是否将被标记为HttpOnly
- >
< http-only> true< / http-only>
< / cookie-config>
< / session-config>
< / web-app>
By default, Glassfish v3 doesn't set the httpOnly flag on session cookies (when created as usual with request.getSession()
).
I know, there is a method javax.servlet.SessionCookieConfig.setHttpOnly()
, but I'm not sure, if that's the best way to do it, and if yes, where the best place would be to put that line.
BTW, of course it can't be done in the servlet itself (e.g. in init()):
java.lang.IllegalStateException: PWC1426:
Unable to configure httpOnly session tracking cookie property for
servlet context /..., because this servlet context has already been initialized
Generally, I would prefer to use a configuration option e.g. in web.xml.
This is supported via a Servlet 3.0 web.xml
(see web-common_3_0.xsd
):
<web-app>
<session-config>
<cookie-config>
<!--
Specifies whether any session tracking cookies created
by this web application will be marked as HttpOnly
-->
<http-only>true</http-only>
</cookie-config>
</session-config>
</web-app>
这篇关于httpOnly会话Cookie + Servlet 3.0(例如Glassfish v3)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!