java servlet 设置 cookie 安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4578506/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
servlet set cookie secure?
提问by cometta
javax.servlet.http.Cookie implements java.lang.Cloneable
In Cookie method, there is a method call "setSecure" , what does it use for? if i setSecure(true), is there anything i need to do on my client(javascript) side to read the cookie? what is different set/without setSecure?
在 Cookie 方法中,有一个方法调用 "setSecure" ,它有什么用?如果我设置了安全(真),我需要在我的客户端(javascript)端做什么来读取 cookie?有什么不同的设置/没有 setSecure?
回答by T.J. Crowder
All that setSecure(true)does is tell the browser that the cookie should only be sent back to the server if using a "secure" protocol, like https. Your JavaScript code doesn't have to do anything different.
所有这一切setSecure(true)确实是告诉浏览器如果使用的是“安全”的协议,如饼干应只发送回服务器https。您的 JavaScript 代码不必做任何不同的事情。
回答by Al-Kathiri Khalid
Yup this ensures that your session cookie is not visible to an attackerlike man-in-the-middle attack. Instead of setting it manuallyYou could alternatively configure your web.xml to handle it for you automatically.
是的,这可确保您的会话 cookie对像中间人攻击这样的攻击者不可见。而不是手动设置您也可以配置您的 web.xml 以自动为您处理它。
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
