在Google App Engine的会话Cookie中设置httpOnly和安全标志 [英] set httpOnly and secure flags on session cookie in Google App Engine

问题描述

我需要在Google App Engine的会话cookie中设置httpOnly和安全标志。

我在 web.xml中尝试了以下内容

code>：

 < session-config> 
< cookie-config> 
< http-only> true< / http-only> 
< / cookie-config> 
< / session-config> 
  

然而，这并没有奏效。

我也在每个JSP的顶部尝试了这一点：

  String sessionid = request.getSession（）。getId（）; 
 response.setHeader（SET-COOKIE，JSESSIONID =+ sessionid +; HttpOnly）; 
  

我该如何做到这一点？

解决方案

我对Google App Engine有同样的问题，但我想为所有cookie添加安全属性。以下显示了我如何为所有Cookie添加安全属性。我几乎可以肯定，只要用 HttpOnly 代替安全，这个解决方案就可以为您工作。

我已经实现了一个安全过滤器，并对我想要设置 Secure 属性的页面进行映射。

 < filter> 
< filter-name>安全过滤器< /过滤器名称> 
< filter-class> common.SecurityFilter< / filter-class> 
< / filter> 
< filter-mapping> 
< filter-name>安全过滤器< /过滤器名称> 
< url-pattern> *。jsf< / url-pattern> 
< / filter-mapping> 
  

我的第一个尝试是将响应封装到我的自定义 HttpServletResponseWrapper 。一切都很好，除了会话cookie没有获得该属性。我调试过，并发现会话cookie不会使用我所期望的机制添加。然后我注意到，在你触摸会话之后，会话cookie被神奇地添加到响应头，例如头文件现在包含 Set-Cookie：JSESSIONID = abcdef; Path = / 这行，但是这个cookie没有使用我创建的包装器对象添加。我已经发现，在我触及会话后，我可以使用我想要的属性设置我想要的cookie。所以解决方法很简单。

  public class SecurityFilter implements Filter {
 @Override 
 public void doFilter ServletRequest请求，ServletResponse响应，FilterChain链）抛出IOException，ServletException {
 //包装响应
 response = new SecureCookieSetter（（HttpServletResponse）response）; 
 
 //触摸会话
（HttpServletRequest）request.getSession（）; $（HttpServletResponse）响应）.setHeader（Set-Cookie，JSESSIONID =+（（HttpServletRequest）请求）.getSession（$（$ {
 
 // //覆盖cookie的安全属性设置
 ）.getId（）+; Path = /）; 
 
 
 
 public class SecureCookieSetter extends HttpServletResponseWrapper {
 $ b $ public SecureCookieSetter（HttpServletResponse响应）{
 super（response）; 
} 
 
 @Override 
 public void addCookie（Cookie cookie）{
 cookie.setSecure（true）; 
 super.addCookie（cookie）; 
 
 $ b @Override 
 public void addHeader（String name，String value）{
 if（（name.equals（Set-Cookie））& &（！value.matches（（^ |。*;）\\s * Secure）））{
 value = value +; Secure; 
} 
 super.addHeader（name，value）; 
} 
 
 @Override 
 public void setHeader（String name，String value）{
 if（（name.equals（Set-Cookie））& &（！value.matches（（^ |。*;）\\s * Secure）））{
 value = value +; Secure; 
} 
 super.setHeader（name，value）; 
} 
 
} 
  

I need to set httpOnly and secure flags on session cookie in Google App Engine.

I tried the following in web.xml:

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>

However, this didn't work.

I also tried this in the top of every JSP:

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

How can I achieve this?

解决方案

I had the same problem with Google App Engine, but I wanted to add Secure attribute to all cookies. The following shows how I've added Secure attribute to all cookies. I'm almost sure that this solution will work for you just by substituting Secure with HttpOnly.

I've implemented a security filter and made a mapping to the pages that I want the Secure attribute be set.

<filter>
    <filter-name>Security Filter</filter-name>
    <filter-class>common.SecurityFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>Security Filter</filter-name>
    <url-pattern>*.jsf</url-pattern>
</filter-mapping>

My first try was to wrap the response into my custom HttpServletResponseWrapper. All was fine except the session cookie doesn't get the attribute. I debugged around and found that the session cookie is not added using the mechanism I've expected. I've then noticed that after you touch the session the session cookie is magically added to the response headers e.g. the headers now consists the line Set-Cookie: JSESSIONID=abcdef;Path=/ but the cookie wasn't added using the wrapper object that I've created. I've figured out that after I've touched the session I can set the cookie that I want with the attributes that I want. So the workaround was easy.

public class SecurityFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // wrap the response
        response = new SecureCookieSetter((HttpServletResponse)response);

        // touch the session
        (HttpServletRequest)request.getSession();

        // overwriting the cookie with Secure attribute set
        ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
    }
}

public class SecureCookieSetter extends HttpServletResponseWrapper {

    public SecureCookieSetter(HttpServletResponse response) {
        super(response);
    }

    @Override
    public void addCookie(Cookie cookie) {
        cookie.setSecure(true);
        super.addCookie(cookie);
    }

    @Override
    public void addHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
            value = value + ";Secure";
        }
        super.addHeader(name, value);
    }

    @Override
    public void setHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
            value = value + ";Secure";
        }
        super.setHeader(name, value);
    }

}

这篇关于在Google App Engine的会话Cookie中设置httpOnly和安全标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！