关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)
关于Cookie的其它只是不在累述、本文主要讲讲自己在项目中遇到的cookie的HttpOnly属性问题
Cookie的HttpOnly属性说明
拦截器设置添加
- public class CookieFilter implements Filter {
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
- Cookie[] cookies = req.getCookies();
- if (cookies != null) {
- Cookie cookie = cookies[0];
- if (cookie != null) {
- /*cookie.setMaxAge(3600);
- cookie.setSecure(true);
- resp.addCookie(cookie);*/
- //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
- String value = cookie.getValue();
- StringBuilder builder = new StringBuilder();
- builder.append("JSESSIONID=" + value + "; ");
- builder.append("Secure; ");
- builder.append("HttpOnly; ");
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.HOUR, 1);
- Date date = cal.getTime();
- Locale locale = Locale.CHINA;
- SimpleDateFormat sdf =
- new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
- builder.append("Expires=" + sdf.format(date));
- resp.setHeader("Set-Cookie", builder.toString());
- }
- }
- chain.doFilter(req, resp);
- }
- public void destroy() {
- }
- public void init(FilterConfig arg0) throws ServletException {
- }
- }
public class CookieFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response; Cookie[] cookies = req.getCookies(); if (cookies != null) {
Cookie cookie = cookies[0];
if (cookie != null) {
/*cookie.setMaxAge(3600);
cookie.setSecure(true);
resp.addCookie(cookie);*/ //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf =
new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(req, resp);
} public void destroy() {
} public void init(FilterConfig arg0) throws ServletException {
}
}
此段代码摘自CookieFilter 这样我们吧所有的cookie都添加上了HttpOnly属性。
- Manifest-Version: 1.0
- Ant-Version: Apache Ant 1.9.3
- Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
- X-Compile-Source-JDK: 1.6
- X-Compile-Target-JDK: 1.6
- Name: javax/servlet/
- Specification-Title: Java API for Servlets
- <span style="color:#ff0000;">Specification-Version: 3.0</span>
- Specification-Vendor: Sun Microsystems, Inc.
- Implementation-Title: javax.servlet
- Implementation-Version: 3.0.FR
- Implementation-Vendor: Apache Software Foundation
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.3
Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
X-Compile-Source-JDK: 1.6
X-Compile-Target-JDK: 1.6 Name: javax/servlet/
Specification-Title: Java API for Servlets
<span style="color:#ff0000;">Specification-Version: 3.0</span>
Specification-Vendor: Sun Microsystems, Inc.
Implementation-Title: javax.servlet
Implementation-Version: 3.0.FR
Implementation-Vendor: Apache Software Foundation
红色字体就是servlet版本。 参考资料:查看servlet/jsp版本
Tomcat配置Jsessionid HttpOnly属性
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.
useHttpOnlyShould the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.
从文档来看tomcat6及5.5useHttpOnly 默认是false、7则是默认true
- <Context <span style="rgb(255, 204, 51);">useHttpOnly="true"</span>></context>
<Context <span style="">useHttpOnly="true"</span>></context>
修改tomcat/conf/web.xml
- <session-config>
- <session-timeout>30</session-timeout>
- <span style="rgb(255, 204, 51);"><cookie-config>
- <http-only>true</http-only>
- </cookie-config></span>
- </session-config>
<session-config>
<session-timeout>30</session-timeout>
<span style=""><cookie-config>
<http-only>true</http-only>
</cookie-config></span>
</session-config>
网上大部分资料只配置以上、但实测却发现没有
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" <span style="rgb(255, 204, 51);">secure="true"</span>/>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" <span style="">secure="true"</span>/>
给8080端口启用安全、这样启动Tomcat访问项目发现HttpOnly及secure属性都已经启动
关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)的更多相关文章
- PHP设置COOKIE的HttpOnly属性
httponly是微软对cookie做的扩展.这个主要是解决用户的cookie可能被盗用的问题. 大家都知道,当我们去邮箱或者论坛登陆后,服务器会写一些cookie到我们的浏览器,当下次再访问其他页面 ...
- Servlet 2.5为cookie配置HTTPOnly属性
cookie的HTTPOnly属性,主要是用来防止JavaScript来读取cookie,默认情况下,JavaScript可以通过document.cookie来读取cookie,这样是很不安全的.通 ...
- eclipse配置tomcat,并部署一个Java web项目到tomcat上
引用链接:https://blog.csdn.net/cincoutcin/article/details/79408484 eclipse配置tomcat 1.windows——preference ...
- Java web学习 Cookie&&Session
cookie&&session 会话技术 从打开一个浏览器访问某个站点,到关闭这个浏览器的整个过程,成为一次会话.会 话技术就是记录这次会话中客户端的状态与数据的. 会话技术分为Coo ...
- Java Web之Cookie、Session
讲Cookie和Seesion之前,先讲一下HTTP连接其实是无序的,服务器不知道是谁在访问它.现在我们来实现一个简单的邮箱功能. 要求: 1.登录页面登录之后看到收件箱和欢迎我 2.点击收件箱看到几 ...
- java web(七)Cookie的简单使用
一.概述 测试 //1.创建一个Cookie对象 //Cookie cookie1=new Cookie("name","xrk"); //2.调用 ...
- java web中cookie的永久创建与撤销
一.首先是创建cookie 当在数据库中查找知道所输入的用户名和密码正确之后,就开始创建: String cb=request.getParameter("cb");//cb就是登 ...
- CentOS上搭建java WEB开发环境Tomcat+MySQL+JDK
对于初学者来说,想在linux系统上搭建一个java web服务器,不知道什么方案可行, 这篇文章主要是告诉这些基础和概念相对薄弱的同学,这样搭建是可行的,大体上没问 题的,出问题也是细节问题.所以此 ...
- Java Web项目部署Tomcat运行出错
1.在部署Java Web项目的过程中,启动Tomcat出现报错提示 具体报错如下: Could not load the Tomcat server configuration at \Server ...
随机推荐
- 04-树5 Root of AVL Tree (25 分)
An AVL tree is a self-balancing binary search tree. In an AVL tree, the heights of the two child sub ...
- session.flush()与session.clear()的区别及使用环境
[From] http://blog.csdn.net/leidengyan/article/details/7514484 首先session是有一级缓存的,目的是为了减少查询数据库的时间,提高效率 ...
- Oracle之q操作符
Oracle本身默认的是单引号,但是在大家写存储过程或者写SQL语句时,有时候需要拼SQL或者是SQL的值里需要传入含单引号的值,此时就需要使用两个单引号''''来进行转义,其实oracle本身提供了 ...
- TabLayout实现底部导航栏(2)
TabLayout是android.support.design里的一个控件,使用它可以很方便的做出顶部导航和底部导航.类似于这样的,能设置选中时字体的颜色和选中时的图片. 效果如图: 首先我们在 b ...
- 安装cloudermanager时出现Acquiring installation lock问题(图文详解)
不多说,直接上干货! 问题详情 解决办法 哪一个节点被锁就删除哪一个. 解决办法:进入/tmp 目录,ls -a查看,删除scm_prepare_node.*的文件,以及.scm_prepare_no ...
- [linux]解决DNS配置重启丢失
DNS配置重启丢失 每次重启后都修改DNS配置文件 /etc/resolv.conf从网上得知 /etc/resolv.conf中的DNS配置是从/etc/resolvconf/resolv.conf ...
- Redis启动和关闭
带配置文件启动 ./redis-server redis.conf 关闭 无密码模式 ./redis-cli -h xxx -p xxx shutdown 密码模式 ./redis-cli -h ...
- java并发编程 - Exexctor简介
Exexctor 常用类关系图 Executor 接口 Excutor 接口定义如下 ExecutorService ExecutorService 是一个比 Executor 使用更广泛的子类接口, ...
- CentOS 下 安装 nginx
1.准备 安装 nginx 之前,需要确认是否安装了 GCC,PCRE, zlib, OpenSSL 等. 如未安装,则先安装这些插件 # yum install -y gcc # yum insta ...
- Django 实现组合条件搜索、jsonp跨域请求
1.类似于汽车之家的条件组合搜索那样 代码:http://pan.baidu.com/s/1nu7vZYD 2.jsonp实现跨域请求(在自己网页自动调用其他网站的接口,并将获取的数据呈现在自己网页上 ...