在JSESSIONID cookie中设置httponly(Java EE 5)
[英]Setting httponly in JSESSIONID cookie (Java EE 5)
问题描述
I'm trying to set the httponly flag on the JSESSIONID cookie. 
我正在尝试在JSESSIONID cookie上设置httponly标志。 I'm working in Java EE 5, however, and can't use setHttpOnly() . 但是,我在Java EE 5中工作,不能使用setHttpOnly() 。 First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader() . 首先,我尝试使用response.setHeader()从servlet的doPost()创建自己的JSESSIONID cookie。
When that didn't work, I tried response.addHeader() . 当这不起作用时,我尝试了response.addHeader() 。 That didn't work either. 那也行不通。 Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. 然后,我了解到servlet处理将会话转换为JSESSIONID cookie并将其插入http头中,因此如果我想使用该cookie,我将不得不编写一个过滤器。 I wrote a filter and played with setHeader() / addHeader() there, again to no avail. 我写了一个过滤器并在setHeader()玩setHeader() / addHeader() ,再次无济于事。
Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapper and pass that to filterChain.doFilter() . 然后,我了解到响应对象在进入过滤器之前会有一些刷新/关闭动作,所以如果我想操纵数据,我需要扩展HttpServletResponseWrapper并将其传递给filterChain.doFilter() 。 This is done but I'm still not getting results. 这已经完成,但我仍然没有得到结果。 Clearly I'm doing something wrong but I don't know what. 显然我做错了但我不知道是什么。
I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. 我不确定这与手头的问题是否完全相关,但servlet没有将任何html文档返回给浏览器。 All that's really happening is that some objects are being populated and returned to a JSP document. 所有真正发生的事情是正在填充一些对象并将其返回到JSP文档。 I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser. 我有点假设Session对象被转换为JSESSIONID cookie,并在发送到浏览器之前将其与添加到请求中的对象一起包装在http标头中。
I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first. 我很乐意发布一些代码,但我想排除我的困难源于对该理论的误解的可能性。
2 个解决方案
解决方案1
11 2010-06-07 20:00:11
Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. 由于JSESSIONID cookie由servletcontainer管理,因此该设置是特定于servletcontainer的。 It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true . 目前还不清楚你正在使用哪一个,所以这里是一个Apache Tomcat 6.0目标答案,这样你就知道你需要在哪个方向寻找你的servletcontainer:你需要将webapplication的<Context>元素的useHttpOnly属性设置为true 。
<Context useHttpOnly="true">
...
</Context>
Also see this Tomcat documentation about the <Context> element. 另请参阅有关<Context>元素的Tomcat文档 。
解决方案2
5 2013-06-21 11:24:34
You can use this with Java EE 5: 您可以在Java EE 5中使用它:
For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag: 对于Java EE 6之前的Java Enterprise Edition版本,常见的解决方法是使用显式附加HttpOnly标志的会话cookie值覆盖SET-COOKIE http响应头:
String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Source : https://www.owasp.org/index.php/HttpOnly 资料来源: https : //www.owasp.org/index.php/HttpOnly
I test it into a filter 我把它测试成一个过滤器
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.