关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)
关于Cookie的其它只是不在累述、本文主要讲讲自己在项目中遇到的cookie的HttpOnly属性问题
Cookie的HttpOnly属性说明
拦截器设置添加
- public class CookieFilter implements Filter {
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
- Cookie[] cookies = req.getCookies();
- if (cookies != null) {
- Cookie cookie = cookies[0];
- if (cookie != null) {
- /*cookie.setMaxAge(3600);
- cookie.setSecure(true);
- resp.addCookie(cookie);*/
- //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
- String value = cookie.getValue();
- StringBuilder builder = new StringBuilder();
- builder.append("JSESSIONID=" + value + "; ");
- builder.append("Secure; ");
- builder.append("HttpOnly; ");
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.HOUR, 1);
- Date date = cal.getTime();
- Locale locale = Locale.CHINA;
- SimpleDateFormat sdf =
- new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
- builder.append("Expires=" + sdf.format(date));
- resp.setHeader("Set-Cookie", builder.toString());
- }
- }
- chain.doFilter(req, resp);
- }
- public void destroy() {
- }
- public void init(FilterConfig arg0) throws ServletException {
- }
- }
public class CookieFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response; Cookie[] cookies = req.getCookies(); if (cookies != null) {
Cookie cookie = cookies[0];
if (cookie != null) {
/*cookie.setMaxAge(3600);
cookie.setSecure(true);
resp.addCookie(cookie);*/ //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf =
new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(req, resp);
} public void destroy() {
} public void init(FilterConfig arg0) throws ServletException {
}
}
此段代码摘自CookieFilter 这样我们吧所有的cookie都添加上了HttpOnly属性。
- Manifest-Version: 1.0
- Ant-Version: Apache Ant 1.9.3
- Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
- X-Compile-Source-JDK: 1.6
- X-Compile-Target-JDK: 1.6
- Name: javax/servlet/
- Specification-Title: Java API for Servlets
- <span style="color:#ff0000;">Specification-Version: 3.0</span>
- Specification-Vendor: Sun Microsystems, Inc.
- Implementation-Title: javax.servlet
- Implementation-Version: 3.0.FR
- Implementation-Vendor: Apache Software Foundation
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.3
Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
X-Compile-Source-JDK: 1.6
X-Compile-Target-JDK: 1.6 Name: javax/servlet/
Specification-Title: Java API for Servlets
<span style="color:#ff0000;">Specification-Version: 3.0</span>
Specification-Vendor: Sun Microsystems, Inc.
Implementation-Title: javax.servlet
Implementation-Version: 3.0.FR
Implementation-Vendor: Apache Software Foundation
红色字体就是servlet版本。 参考资料:查看servlet/jsp版本
Tomcat配置Jsessionid HttpOnly属性
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.
useHttpOnlyShould the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.
从文档来看tomcat6及5.5useHttpOnly 默认是false、7则是默认true
- <Context <span style="rgb(255, 204, 51);">useHttpOnly="true"</span>></context>
<Context <span style="">useHttpOnly="true"</span>></context>
修改tomcat/conf/web.xml
- <session-config>
- <session-timeout>30</session-timeout>
- <span style="rgb(255, 204, 51);"><cookie-config>
- <http-only>true</http-only>
- </cookie-config></span>
- </session-config>
<session-config>
<session-timeout>30</session-timeout>
<span style=""><cookie-config>
<http-only>true</http-only>
</cookie-config></span>
</session-config>
网上大部分资料只配置以上、但实测却发现没有
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" <span style="rgb(255, 204, 51);">secure="true"</span>/>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" <span style="">secure="true"</span>/>
给8080端口启用安全、这样启动Tomcat访问项目发现HttpOnly及secure属性都已经启动
关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)的更多相关文章
- PHP设置COOKIE的HttpOnly属性
httponly是微软对cookie做的扩展.这个主要是解决用户的cookie可能被盗用的问题. 大家都知道,当我们去邮箱或者论坛登陆后,服务器会写一些cookie到我们的浏览器,当下次再访问其他页面 ...
- Servlet 2.5为cookie配置HTTPOnly属性
cookie的HTTPOnly属性,主要是用来防止JavaScript来读取cookie,默认情况下,JavaScript可以通过document.cookie来读取cookie,这样是很不安全的.通 ...
- eclipse配置tomcat,并部署一个Java web项目到tomcat上
引用链接:https://blog.csdn.net/cincoutcin/article/details/79408484 eclipse配置tomcat 1.windows——preference ...
- Java web学习 Cookie&&Session
cookie&&session 会话技术 从打开一个浏览器访问某个站点,到关闭这个浏览器的整个过程,成为一次会话.会 话技术就是记录这次会话中客户端的状态与数据的. 会话技术分为Coo ...
- Java Web之Cookie、Session
讲Cookie和Seesion之前,先讲一下HTTP连接其实是无序的,服务器不知道是谁在访问它.现在我们来实现一个简单的邮箱功能. 要求: 1.登录页面登录之后看到收件箱和欢迎我 2.点击收件箱看到几 ...
- java web(七)Cookie的简单使用
一.概述 测试 //1.创建一个Cookie对象 //Cookie cookie1=new Cookie("name","xrk"); //2.调用 ...
- java web中cookie的永久创建与撤销
一.首先是创建cookie 当在数据库中查找知道所输入的用户名和密码正确之后,就开始创建: String cb=request.getParameter("cb");//cb就是登 ...
- CentOS上搭建java WEB开发环境Tomcat+MySQL+JDK
对于初学者来说,想在linux系统上搭建一个java web服务器,不知道什么方案可行, 这篇文章主要是告诉这些基础和概念相对薄弱的同学,这样搭建是可行的,大体上没问 题的,出问题也是细节问题.所以此 ...
- Java Web项目部署Tomcat运行出错
1.在部署Java Web项目的过程中,启动Tomcat出现报错提示 具体报错如下: Could not load the Tomcat server configuration at \Server ...
随机推荐
- yyy的python3第七天学习
望着小月亮:https://www.cnblogs.com/triple-y/ 请尊重原创:https://www.cnblogs.com/triple-y/p/9655753.html 第七天学习的 ...
- PHP7 关于变量的基本判断
刚学 PHP ,一些基础还不太牢固,边实践边记录. about NULL $class_name = null; 语句结束后,$class_name 是空,没有,什么都没有的“空”.用 is_null ...
- Miller_Rabin素数测试【学习笔记】
引语:在数论中,对于素数的研究一直就很多,素数测试的方法也是非常多,如埃式筛法,6N±1法,或者直接暴力判(试除法).但是如果要判断比较大的数是否为素数,那么传统的试除法和筛法都不再适用.所以我们需要 ...
- HDU6311 Cover (欧拉路径->无向图有最少用多少条边不重复的路径可以覆盖一个张无向图)
题意:有最少用多少条边不重复的路径可以覆盖一个张无向图 ,输出每条路径的边的序号 , 如果是反向就输出-id. 也就是可以多少次一笔画的方式画完这个无向图. 题解:我们已知最优胜的情况是整个图是欧拉图 ...
- Oracle 11g 记录DML错误数据
[From] https://oracle-base.com/articles/10g/dml-error-logging-10gr2 需要记录下大量DML操作中出错的具体record,看到有两种方案 ...
- C++ GUI Qt4编程(04)-2.1findDialog
finddialog.h /* * 未实现findNextSignal和findPreviousSignal */ #ifndef FINDDIALOG_H #define FINDDIALOG_H ...
- Java swing中的keyListener使用事例
最近在学习Java swing,写了一个域内聊天室,实现用户登录ip,端口号之后,进入聊天窗口聊天: 通过菜单条增加了几个功能,边框,字体,颜色和文件传输.风格里的样式都可以通过自己选择来设置. 介绍 ...
- 2.rabbitmq 系列教程
rabbitmq系列教程-文章[转] 视频分享: 链接:https://pan.baidu.com/s/1s_Qr2A1o0s8Ru0exK62jqg 提取码:eb68
- Caused by java.lang.IllegalStateException Not allowed to start service Intent { cmp=com.x.x.x/.x.x.xService }: app is in background uid UidRecord(一)
Caused by java.lang.IllegalStateException Not allowed to start service Intent { cmp=com.x.x.x/.x.x.x ...
- Python 的 __new__()方法与实例化
__new__() 是新式类中才有的方法,它执行在构造方法创建实例之前.可以这么理解,在 Python 中类中的构造方法 __init__() 负责将类实例化,而在 __init__() 启动之前,_ ...