[英]Differentiating HTTPOnly cookies from other in android
在我当前的项目中,我们正在实现Android应用程序与服务器之间的会话处理。 现在,根据我们的设计,Android应用程序应仅接受HTTP Cookie并删除所有其他Cookie。 但是,在所有可用选项中,我找不到任何类或方法来帮助我确定cookie是否为HTTPOnly。
我以以下方式存储cookie:
connections = (HttpURLConnection) serverURL.openConnection();
// Setting cookies manager
java.net.CookieManager manager = new java.net.CookieManager();
manager.setCookiePolicy(new CookiePolicy() {
@Override
public boolean shouldAccept(URI uri, HttpCookie cookie) {
return cookie.getSecure();
}
});
CookieHandler.setDefault(manager);
connections.setDoInput(true);
connections.setDoOutput(true);
connections.setConnectTimeout(TIME_OUT);
connections.getOutputStream().write(data);
InputStream inputStream = connections.getInputStream();
CookieStore cookieJar = manager.getCookieStore();
if (cookieJar != null) {
List<HttpCookie> cookies = cookieJar.getCookies();
for (HttpCookie httpCookie : cookies) {
Log.i("yash", httpCookie.toString());
}
}
但是此HttpCookie没有任何HTTPOnly方法。
通过一些Google浏览器,我发现RFC 6265具有HTTPOnly属性,并且它也使RFC 2965变得模糊。但是,为什么Google不支持此RFC 6265?
根据类文档 ,支持HttpOnly,但是由于某种原因,此字段没有任何访问器或更改器。
为了能够访问和修改httpOnly字段,您应该使用反射:
// Workaround httpOnly (getter)
private boolean getHttpOnly() {
try {
Field fieldHttpOnly = cookie.getClass().getDeclaredField("httpOnly");
fieldHttpOnly.setAccessible(true);
return (boolean) fieldHttpOnly.get(cookie);
} catch (Exception e) {
// NoSuchFieldException || IllegalAccessException ||
// IllegalArgumentException
Log.w(TAG, e);
}
return false;
}
// Workaround httpOnly (setter)
private void setHttpOnly(boolean httpOnly) {
try {
Field fieldHttpOnly = cookie.getClass().getDeclaredField("httpOnly");
fieldHttpOnly.setAccessible(true);
fieldHttpOnly.set(cookie, httpOnly);
} catch (Exception e) {
// NoSuchFieldException || IllegalAccessException ||
// IllegalArgumentException
Log.w(TAG, e);
}
}
如何从android.webkit.CookieManager获取httpOnly cookie
[英]How to get httpOnly cookies from android.webkit.CookieManager
JBoss 5:使用安全的httpOnly cookie并从URL中隐藏jsessionid
[英]JBoss 5: Use secure and httpOnly cookies and hide jsessionid from url
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.