在 JSESSIONID cookie 中设置 httponly (Java EE 5)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2992473/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Setting httponly in JSESSIONID cookie (Java EE 5)
提问by Mythandros
I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost()by using response.setHeader().
我正在尝试在 JSESSIONID cookie 上设置 httponly 标志。但是,我在 Java EE 5 中工作,无法使用setHttpOnly(). 首先,我尝试doPost()使用response.setHeader().
When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. I wrote a filter and played with setHeader()/addHeader()there, again to no avail.
当那不起作用时,我尝试了response.addHeader(). 那也没有用。然后,我了解到 servlet 处理将会话转换为 JSESSIONID cookie 并将其插入到 http 标头中,因此如果我想使用该 cookie,我将不得不编写一个过滤器。我写了一个过滤器和玩弄setHeader()/addHeader()那里,又无济于事。
Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapperand pass that to filterChain.doFilter(). This is done but I'm still not getting results. Clearly I'm doing something wrong but I don't know what.
然后,我了解到在响应对象到达过滤器之前有一些刷新/关闭操作正在进行,因此如果我想操作数据,我需要将其扩展HttpServletResponseWrapper并传递给filterChain.doFilter(). 这已经完成,但我仍然没有得到结果。显然我做错了什么,但我不知道是什么。
I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. All that's really happening is that some objects are being populated and returned to a JSP document. I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser.
我不确定这是否与手头的问题完全相关,但是 servlet 没有将 html 文档返回给浏览器。真正发生的只是一些对象被填充并返回到 JSP 文档。我有点假设 Session 对象变成了一个 JSESSIONID cookie 并在发送到浏览器之前将其与添加到请求中的对象一起包装在 http 标头中。
I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first.
我很乐意发布一些代码,但我想排除我的困难首先源于对理论的误解的可能性。
回答by BalusC
Since the JSESSIONIDcookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnlyattribute of the webapplication's <Context>element to true.
由于JSESSIONIDcookie 由 servletcontainer 管理,因此此设置是特定于 servletcontainer 的。不清楚您使用的是哪一个,所以这里有一个针对Apache Tomcat 6.0 的答案,以便您知道必须朝哪个方向寻找 servletcontainer:您需要useHttpOnly将 web 应用程序<Context>元素的属性设置为true.
<Context useHttpOnly="true">
...
</Context>
Also see this Tomcat documentationabout the <Context>element.
另请参阅有关该元素的Tomcat 文档<Context>。
回答by Stéphane Maleyrie
You can use this with Java EE 5:
您可以在 Java EE 5 中使用它:
For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag:
对于 Java EE 6 之前的 Java Enterprise Edition 版本,常见的解决方法是使用会话 cookie 值覆盖 SET-COOKIE http 响应标头,该值显式附加 HttpOnly 标志:
String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Source : https://www.owasp.org/index.php/HttpOnly
来源:https: //www.owasp.org/index.php/HttpOnly
I test it into a filter
我把它测试成过滤器
