Tomcat 5.5.36上的HttpOnly cookie
[英]HttpOnly cookies on Tomcat 5.5.36
问题描述
I saw on the thread How do you configure HttpOnly cookies in tomcat / java webapps? 
我在线程上看到了如何在tomcat / java webapps中配置HttpOnly cookie? that Tomcat 5.5.(>28) is supposed to support vendor specific useHttpOnly attribute specified in <Context> elements. Tomcat 5.5。(> 28)应该支持<Context>元素中指定的特定于供应商的useHttpOnly属性。
I added this attribute to ALL contexts configured in my server.xml. 我将此属性添加到了server.xml中配置的所有上下文中。
However, only the JSESSIONID was appended with "; httpOnly" flag. 但是,只有JSESSIONID附加了"; httpOnly"标志。 All other cookies are exactly like there were before I added useHttpOnly="true" . 所有其他cookie都与我添加useHttpOnly="true"之前的所有cookie完全相同。
Set-Cookie=
JSESSIONID=25E8F...; Path=/custompath; HttpOnly
mycustomcookie1=xxxxxxx; Path=/
mycustomcookie2=1351101062602; Path=/
mycustomcookie3=0; Path=/
mycustomcookie4=1; Path=/; Secure
mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/
Is there anything else I need to change? 我还有什么需要改变的吗?
(upgrading to tomcat 6 or 7 is not an option for now. Our system uses a third party framework based on tomcat 5.5) (目前尚不能升级到tomcat 6或7。我们的系统使用基于tomcat 5.5的第三方框架)
1 个解决方案
解决方案1
1 2012-10-24 19:42:52
The useHttpOnly configuration in the server indeed applies to server-controlled cookies such as JSESSIONID only. 服务器中的useHttpOnly配置确实仅适用于服务器控制的cookie,例如仅JSESSIONID 。
For webapp-controlled cookies you've to manually create the entire cookie header yourself. 对于由webapp控制的cookie,您必须自己手动创建整个cookie标头。 The Cookie class is unsuitable as the setHttpOnly() method was introduced in Servlet 3.0, but you're using Tomcat 5.5 does as being a Servlet 2.4 container not have this method in Cookie class. Cookie类不适合,因为Servlet 3.0中引入了setHttpOnly()方法,但是您使用Tomcat 5.5的原因是Cookie 2.4类中没有Servlet 2.4容器。 You'd need to upgrade to at least Tomcat 7 which is a Servlet 3.0 compatible container. 您至少需要升级到Tomcat 7,它是与Servlet 3.0兼容的容器。
You can manually create the in the question mentioned cookies as follows: 您可以手动在提到的Cookie中创建问题,如下所示:
response.addHeader("Set-Cookie", "mycustomcookie1=xxxxxxx; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie2=1351101062602; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie3=0; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie4=1; Path=/; Secure; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/; HttpOnly");
It's indeed just a matter of adding the HttpOnly attribute to the cookie header value, separated by ; 实际上,只需将HttpOnly属性添加到cookie头值中,并以;分隔即可; . 。
If you'd like to transparently apply this on all cookies, then you might want to provide a custom HttpServletResponseWrapper wherein the addHeader() and setHeader() methods are accordingly been overridden to check if a Set-Cookie header is been set and if so, then add ;HttpOnly to the value when absent. 如果要透明地将其应用于所有 cookie,则可能需要提供一个自定义HttpServletResponseWrapper其中addHeader()和setHeader()方法相应地被重写,以检查是否Set-Cookie了Set-Cookie标头,是否设置了Set-Cookie标头。 ,然后将;HttpOnly添加到不存在的值。 This way you can keep using addCookie() . 这样,您可以继续使用addCookie() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.