堆栈内存溢出
  简体   繁体   English

将“HttpOnly”属性添加到所有会话cookie

[英]Add the 'HttpOnly' attribute to all session cookies

 原文  2012-02-29 06:04:50       java/ security/ http/ session

问题描述

I got this following error when my website was being audited. 我的网站被审核时出现以下错误。 I have developed my website using jsp, servlets, java classes. 我使用jsp,servlets,java类开发了我的网站。

Missing HttpOnly Attribute in Session Cookie 会话Cookie中缺少HttpOnly属性

Security Risks 安全风险

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user 可以窃取或操纵客户会话和cookie,这可能用于冒充合法用户,允许黑客查看或更改用户记录,并以该用户身份执行交易

Causes: 原因:

The web application sets session cookies without the HttpOnly attribute Web应用程序在没有HttpOnly属性的情况下设置会话cookie

Remediation Tasks: 补救任务:

Add the 'HttpOnly' attribute to all session cookies 将“HttpOnly”属性添加到所有会话cookie

I am passing java security token as hidden parameter while clicking on submit button. 我点击提交按钮时将java安全令牌作为隐藏参数传递。 How can i add this HttpOnly attribute in that token? 如何在该令牌中添加此HttpOnly属性?

2 个解决方案

解决方案1
 12 已采纳  2012-02-29 06:12:22

The HttpOnly attribute is set on Cookies , and these are (usually) passed from the server to the client, not from the client to the server. HttpOnly属性在Cookies上设置,它们(通常)从服务器传递到客户端,而不是从客户端传递到服务器。 HttpOnly is not an attribute you can set on a form or form parameter. HttpOnly不是您可以在表单或表单参数上设置的属性。 Here the client is the browser and the server is the Java EE server running your Java application. 这里客户端是浏览器,服务器是运行Java应用程序的Java EE服务器。

Cookies are usually created by a server, passed to the browser and then passed back. Cookie通常由服务器创建,传递给浏览器然后传回。 Now it is possible to create and manipulate Cookies using JavaScript which can be helpful but can also be a security hole. 现在可以使用JavaScript创建和操作Cookie,这可能会有所帮助,但也可能是一个安全漏洞。 So an HttpOnly Cookie is only accessible by the server , or in other words it is not accessible from client side JavaScript which protects your site from some forms of XSS attacks. 因此,HttpOnly Cookie只能由服务器访问 ,或者换句话说,它无法从客户端JavaScript访问,从而保护您的站点免受某些形式的XSS攻击。 So the Browser will store and return an HttpOnly Cookie but it will not alter it or allow you to create it on the client; 因此浏览器将存储并返回一个HttpOnly Cookie,但它不会改变它或允许您在客户端上创建它; an HttpOnly Cookie must be created on the server. 必须在服务器上创建HttpOnly Cookie。

If you're using JSP it's likely your server is automatically creating a Cookie to manage sessions for you; 如果您正在使用JSP,那么您的服务器可能会自动创建Cookie来为您管理会话; this is the cookie on which you need to set the HttpOnly attribute. 这是您需要设置HttpOnly属性的cookie。 The method to set HttpOnly on your SESSIONID Cooke will be container specific. 在SESSIONID Cooke上设置HttpOnly的方法将特定于容器。

解决方案2
 2  2013-09-12 14:49:15

were you able to set the "HttpOnly" attribute in session cookies? 你能在会话cookie中设置“HttpOnly”属性吗?

i found this code to do this on https://www.owasp.org/index.php/HttpOnly 我发现此代码在https://www.owasp.org/index.php/HttpOnly上执行此操作 

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Jboss 5. HttpOnly会话cookie - Jboss 5. HttpOnly session cookies 会话Cookie中缺少HttpOnly属性 - Missing HttpOnly Attribute in Session Cookie 为spark-java中的所有cookie设置HttpOnly - Set HttpOnly for all cookies in spark-java 使用Apache动态添加HttpOnly标志到cookie? - Add HttpOnly flag to cookies on the fly with Apache? 缺少HTTP协议的会话标识符的HttpOnly属性 - Missing HttpOnly Attribute for Session Identifier with HTTP protocol 如何在 Spring Webflux webclient 中添加带有 HttpOnly 和 Secure 标志的 cookies? - How to add cookies with HttpOnly and Secure flags in Spring Webflux webclient? Tomcat 5.5.36上的HttpOnly cookie - HttpOnly cookies on Tomcat 5.5.36 HttpOnly cookie不是通过请求发送的 - HttpOnly cookies not sent by request 在Android中区分HTTPOnly Cookie与其他Cookie - Differentiating HTTPOnly cookies from other in android 如何在Vaadin中禁用HttpOnly cookie? - How do i disable HttpOnly cookies in Vaadin?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM