关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)
关于Cookie的其它只是不在累述、本文主要讲讲自己在项目中遇到的cookie的HttpOnly属性问题
Cookie的HttpOnly属性说明
拦截器设置添加
- public class CookieFilter implements Filter {
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
- Cookie[] cookies = req.getCookies();
- if (cookies != null) {
- Cookie cookie = cookies[0];
- if (cookie != null) {
- /*cookie.setMaxAge(3600);
- cookie.setSecure(true);
- resp.addCookie(cookie);*/
- //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
- String value = cookie.getValue();
- StringBuilder builder = new StringBuilder();
- builder.append("JSESSIONID=" + value + "; ");
- builder.append("Secure; ");
- builder.append("HttpOnly; ");
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.HOUR, 1);
- Date date = cal.getTime();
- Locale locale = Locale.CHINA;
- SimpleDateFormat sdf =
- new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
- builder.append("Expires=" + sdf.format(date));
- resp.setHeader("Set-Cookie", builder.toString());
- }
- }
- chain.doFilter(req, resp);
- }
- public void destroy() {
- }
- public void init(FilterConfig arg0) throws ServletException {
- }
- }
public class CookieFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response; Cookie[] cookies = req.getCookies(); if (cookies != null) {
Cookie cookie = cookies[0];
if (cookie != null) {
/*cookie.setMaxAge(3600);
cookie.setSecure(true);
resp.addCookie(cookie);*/ //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf =
new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(req, resp);
} public void destroy() {
} public void init(FilterConfig arg0) throws ServletException {
}
}
此段代码摘自CookieFilter 这样我们吧所有的cookie都添加上了HttpOnly属性。
- Manifest-Version: 1.0
- Ant-Version: Apache Ant 1.9.3
- Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
- X-Compile-Source-JDK: 1.6
- X-Compile-Target-JDK: 1.6
- Name: javax/servlet/
- Specification-Title: Java API for Servlets
- <span style="color:#ff0000;">Specification-Version: 3.0</span>
- Specification-Vendor: Sun Microsystems, Inc.
- Implementation-Title: javax.servlet
- Implementation-Version: 3.0.FR
- Implementation-Vendor: Apache Software Foundation
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.3
Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
X-Compile-Source-JDK: 1.6
X-Compile-Target-JDK: 1.6 Name: javax/servlet/
Specification-Title: Java API for Servlets
<span style="color:#ff0000;">Specification-Version: 3.0</span>
Specification-Vendor: Sun Microsystems, Inc.
Implementation-Title: javax.servlet
Implementation-Version: 3.0.FR
Implementation-Vendor: Apache Software Foundation
红色字体就是servlet版本。 参考资料:查看servlet/jsp版本
Tomcat配置Jsessionid HttpOnly属性
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.
useHttpOnlyShould the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.
从文档来看tomcat6及5.5useHttpOnly 默认是false、7则是默认true
- <Context <span style="rgb(255, 204, 51);">useHttpOnly="true"</span>></context>
<Context <span style="">useHttpOnly="true"</span>></context>
修改tomcat/conf/web.xml
- <session-config>
- <session-timeout>30</session-timeout>
- <span style="rgb(255, 204, 51);"><cookie-config>
- <http-only>true</http-only>
- </cookie-config></span>
- </session-config>
<session-config>
<session-timeout>30</session-timeout>
<span style=""><cookie-config>
<http-only>true</http-only>
</cookie-config></span>
</session-config>
网上大部分资料只配置以上、但实测却发现没有
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" <span style="rgb(255, 204, 51);">secure="true"</span>/>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" <span style="">secure="true"</span>/>
给8080端口启用安全、这样启动Tomcat访问项目发现HttpOnly及secure属性都已经启动
关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)的更多相关文章
- PHP设置COOKIE的HttpOnly属性
httponly是微软对cookie做的扩展.这个主要是解决用户的cookie可能被盗用的问题. 大家都知道,当我们去邮箱或者论坛登陆后,服务器会写一些cookie到我们的浏览器,当下次再访问其他页面 ...
- Servlet 2.5为cookie配置HTTPOnly属性
cookie的HTTPOnly属性,主要是用来防止JavaScript来读取cookie,默认情况下,JavaScript可以通过document.cookie来读取cookie,这样是很不安全的.通 ...
- eclipse配置tomcat,并部署一个Java web项目到tomcat上
引用链接:https://blog.csdn.net/cincoutcin/article/details/79408484 eclipse配置tomcat 1.windows——preference ...
- Java web学习 Cookie&&Session
cookie&&session 会话技术 从打开一个浏览器访问某个站点,到关闭这个浏览器的整个过程,成为一次会话.会 话技术就是记录这次会话中客户端的状态与数据的. 会话技术分为Coo ...
- Java Web之Cookie、Session
讲Cookie和Seesion之前,先讲一下HTTP连接其实是无序的,服务器不知道是谁在访问它.现在我们来实现一个简单的邮箱功能. 要求: 1.登录页面登录之后看到收件箱和欢迎我 2.点击收件箱看到几 ...
- java web(七)Cookie的简单使用
一.概述 测试 //1.创建一个Cookie对象 //Cookie cookie1=new Cookie("name","xrk"); //2.调用 ...
- java web中cookie的永久创建与撤销
一.首先是创建cookie 当在数据库中查找知道所输入的用户名和密码正确之后,就开始创建: String cb=request.getParameter("cb");//cb就是登 ...
- CentOS上搭建java WEB开发环境Tomcat+MySQL+JDK
对于初学者来说,想在linux系统上搭建一个java web服务器,不知道什么方案可行, 这篇文章主要是告诉这些基础和概念相对薄弱的同学,这样搭建是可行的,大体上没问 题的,出问题也是细节问题.所以此 ...
- Java Web项目部署Tomcat运行出错
1.在部署Java Web项目的过程中,启动Tomcat出现报错提示 具体报错如下: Could not load the Tomcat server configuration at \Server ...
随机推荐
- 2018南京icpc现场赛心得
第一次参加icpc的比赛,也是第一块奖牌,虽然只是铜,但其实打的已经很好了,稍微差一点就可以摸银了. 之前参加省赛,成为那次比赛我校唯一一个没拿奖的队伍,其实还是一直都有一些心结的,而这段时间和新的队 ...
- CF E2 - Array and Segments (Hard version) (线段树)
题意给定一个长度为n的序列,和m个区间.对一个区间的操作是:对整个区间的数-1可以选择任意个区间(可以为0个.每个区间最多被选择一次)进行操作后,要求最大化的序列极差(极差即最大值 - 最小值).ea ...
- 108th LeetCode Weekly Contest Unique Email Addresses
Every email consists of a local name and a domain name, separated by the @ sign. For example, in ali ...
- HDU - 3038 带权并查集
这道题我拖了有8个月... 今天放假拉出来研究一下带权的正确性,还有半开半闭的处理还有ab指向的一系列细节问题 #include<iostream> #include<algorit ...
- es6 封装一个基础的表单验证
1, 需求分析 设计一个通用的表单验证,如果后期表单中添加了更多的需求,不需要更改之前的代码逻辑,最好不要改之前的代码,需要加什么直接加就好了. 2,代码分析 此表单验证最好返回一个函数,在api设计 ...
- python操作Spark常用命令
1. 获取SparkSession spark = SparkSession.builder.config(conf = SparkConf()).getOrCreate() 2. 获取SparkCo ...
- 给新人看的 JavaScript的继承
//这个继承方式是给新人看的,逻辑简单一些 Object.extend=function(props){ //继承父类 var prototype=Object.create(this.prototy ...
- Spring JDBC Framework
引自 :学习经典:Spring JDBC Framework 这里记录我对Spring JDBC框架的学习.由于Spring JDBC和我之前做的工作有很多共同之处,学习经典Framework的设计, ...
- 全网备份脚本rsync
一,服务端配置 #!/bin/sh ######################################################### #by:kingle # #use: confi ...
- 飞檐走壁navMesh
http://www.manew.com/thread-106030-1-1.html