I need to restrict access to a cookie containing a session token so that javascript can't access it. Advice that was given was to set Secure and HttpOnly flags on the cookie.

我需要限制对包含会话令牌的 cookie 的访问，以便 javascript 无法访问它。给出的建议是在 cookie 上设置 Secure 和 HttpOnly 标志。

I was having trouble with cookies not being set when using @ResponseBody, so I'm setting the cookies inside a HandlerInterceptor.

我在使用 @ResponseBody 时遇到了没有设置 cookie 的问题，所以我在 HandlerInterceptor 中设置了 cookie。

public class COOKIEFilter implements org.springframework.web.servlet.HandlerInterceptor  {

    @Override
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {

        Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString());
        cookie.setSecure(true);
        // how do I set the http-only flag?
        httpServletResponse.addCookie(cookie);

        return true;
    }

As shown in the chrome console, Secure is set, but not HTTP

如chrome控制台所示，设置了Secure，但没有设置HTTP

I've tried adding parameters to web.xml under servlet 3.0 sepcification that allows for secure and http-only to be set on session cookies, but since I need to handle the session myself (Spring MVC application needs to remain stateless), that won't work for me.

我已经尝试在 servlet 3.0 sepcification 下向 web.xml 添加参数，允许在会话 cookie 上设置安全和 http-only，但由于我需要自己处理会话（Spring MVC 应用程序需要保持无状态），所以赢了不适合我。

Update:

更新：

I'm using Tomcat7, currently with Servlet 2.5 and Spring 3.2.8.

我正在使用 Tomcat7，目前使用 Servlet 2.5 和 Spring 3.2.8。