java httpOnly Session Cookie + Servlet 3.0(例如 Glassfish v3)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3033349/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)
提问by Chris Lercher
By default, Glassfish v3 doesn't set the httpOnly flag on session cookies (when created as usual with request.getSession()).
默认情况下,Glassfish v3 不会在会话 cookie 上设置 httpOnly 标志(当像往常一样创建时request.getSession())。
I know, there is a method javax.servlet.SessionCookieConfig.setHttpOnly(), but I'm not sure, if that's the best way to do it, and if yes, where the best place would be to put that line.
我知道,有一种方法javax.servlet.SessionCookieConfig.setHttpOnly(),但我不确定,这是否是最好的方法,如果是,最好的地方是放那条线。
BTW, of course it can'tbe done in the servlet itself (e.g. in init()):
顺便说一句,当然它不能在 servlet 本身中完成(例如在 init() 中):
java.lang.IllegalStateException: PWC1426:
Unable to configure httpOnly session tracking cookie property for
servlet context /..., because this servlet context has already been initialized
Generally, I would prefer to use a configuration option e.g. in web.xml.
通常,我更喜欢使用配置选项,例如在 web.xml 中。
回答by Pascal Thivent
This is supported via a Servlet 3.0 web.xml(see web-common_3_0.xsd):
这是通过 Servlet 3.0 支持的web.xml(请参阅参考资料web-common_3_0.xsd):
<web-app>
<session-config>
<cookie-config>
<!--
Specifies whether any session tracking cookies created
by this web application will be marked as HttpOnly
-->
<http-only>true</http-only>
</cookie-config>
</session-config>
</web-app>
回答by Amir Md Amiruzzaman
You can also add <secure>true</secure>to boost the security.
您还可以添加<secure>true</secure>以提高安全性。
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
