• 关于Cookie 的HttpOnly属性(java/web操作cookie+Tomcat操作jsessionid)


    关于Cookie的其它只是不在累述、本文主要讲讲自己在项目中遇到的cookie的HttpOnly属性问题

    Cookie的HttpOnly属性说明

    cookie的两个新的属性secure和Httponly分别表示只能通过Http访问cookie   不能通过脚本访问Cookie、HttpOnly属性在一定程度上可以防止XSS攻击(XSS攻击类似sql注入,更多资料可以百度查阅)。在web应用中、JSESSIONID (Cookie)没有设置Httponly属性可能会窃取或操纵客户会话和 cookie,它们可能用于模仿合法用户,从而使黑客能够以该用户身份查看或变更用户记录以及执行事务、
    cookie的HttpOnly属性需要浏览器的支持、目前IE6/FF3.0以上均已支持。另外JavaEE6.0已支持对HttpOnly的修改、servlet3.0规范中也添加了API。
     

    拦截器设置添加

    我们可以配置拦截器拦截所有请求,然后再给cookie添加HttpOnly属性
    1. public class CookieFilter implements Filter {  
    2.     public void doFilter(ServletRequest request, ServletResponse response,  
    3.             FilterChain chain) throws IOException, ServletException {  
    4.         HttpServletRequest req = (HttpServletRequest) request;  
    5.         HttpServletResponse resp = (HttpServletResponse) response;  
    6.   
    7.         Cookie[] cookies = req.getCookies();  
    8.   
    9.         if (cookies != null) {  
    10.                 Cookie cookie = cookies[0];  
    11.                 if (cookie != null) {  
    12.                     /*cookie.setMaxAge(3600); 
    13.                     cookie.setSecure(true); 
    14.                     resp.addCookie(cookie);*/  
    15.                       
    16.                     //Servlet 2.5不支持在Cookie上直接设置HttpOnly属性  
    17.                     String value = cookie.getValue();  
    18.                     StringBuilder builder = new StringBuilder();  
    19.                     builder.append("JSESSIONID=" + value + "; ");  
    20.                     builder.append("Secure; ");  
    21.                     builder.append("HttpOnly; ");  
    22.                     Calendar cal = Calendar.getInstance();  
    23.                     cal.add(Calendar.HOUR, 1);  
    24.                     Date date = cal.getTime();  
    25.                     Locale locale = Locale.CHINA;  
    26.                     SimpleDateFormat sdf =   
    27.                             new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);  
    28.                     builder.append("Expires=" + sdf.format(date));  
    29.                     resp.setHeader("Set-Cookie", builder.toString());  
    30.                 }  
    31.         }  
    32.         chain.doFilter(req, resp);  
    33.     }  
    34.   
    35.     public void destroy() {  
    36.     }  
    37.   
    38.     public void init(FilterConfig arg0) throws ServletException {  
    39.     }  
    40. }  
    public class CookieFilter implements Filter {
    	public void doFilter(ServletRequest request, ServletResponse response,
    			FilterChain chain) throws IOException, ServletException {
    	    HttpServletRequest req = (HttpServletRequest) request;
    	    HttpServletResponse resp = (HttpServletResponse) response;
    
    	    Cookie[] cookies = req.getCookies();
    
    	    if (cookies != null) {
    	            Cookie cookie = cookies[0];
    	            if (cookie != null) {
    	            	/*cookie.setMaxAge(3600);
    	            	cookie.setSecure(true);
    	            	resp.addCookie(cookie);*/
    	            	
    	            	//Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
    	            	String value = cookie.getValue();
    	            	StringBuilder builder = new StringBuilder();
    	            	builder.append("JSESSIONID=" + value + "; ");
    	            	builder.append("Secure; ");
    	            	builder.append("HttpOnly; ");
    	            	Calendar cal = Calendar.getInstance();
    	            	cal.add(Calendar.HOUR, 1);
    	            	Date date = cal.getTime();
    	            	Locale locale = Locale.CHINA;
    	            	SimpleDateFormat sdf = 
    	            			new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
    	            	builder.append("Expires=" + sdf.format(date));
    	            	resp.setHeader("Set-Cookie", builder.toString());
    	            }
    	    }
    	    chain.doFilter(req, resp);
    	}
    
    	public void destroy() {
    	}
    
    	public void init(FilterConfig arg0) throws ServletException {
    	}
    }
    此段代码摘自CookieFilter 这样我们吧所有的cookie都添加上了HttpOnly属性。
    注:需要servlet3.0支持、Tomcat7木有问题。查看servlet的版本方法:
    知道到Tomcat/lib 文件夹下servlet-api.jar 将其解压、然后打开servlet-apiMETA-INFMANIFEST.MF文件(Editplus/NotePad++等工具都行)、
    1. Manifest-Version: 1.0  
    2. Ant-Version: Apache Ant 1.9.3  
    3. Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)  
    4. X-Compile-Source-JDK: 1.6  
    5. X-Compile-Target-JDK: 1.6  
    6.   
    7. Name: javax/servlet/  
    8. Specification-Title: Java API for Servlets  
    9. <span style="color:#ff0000;">Specification-Version: 3.0</span>  
    10. Specification-Vendor: Sun Microsystems, Inc.  
    11. Implementation-Title: javax.servlet  
    12. Implementation-Version: 3.0.FR  
    13. Implementation-Vendor: Apache Software Foundation  
    Manifest-Version: 1.0
    Ant-Version: Apache Ant 1.9.3
    Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)
    X-Compile-Source-JDK: 1.6
    X-Compile-Target-JDK: 1.6
    
    Name: javax/servlet/
    Specification-Title: Java API for Servlets
    <span style="color:#ff0000;">Specification-Version: 3.0</span>
    Specification-Vendor: Sun Microsystems, Inc.
    Implementation-Title: javax.servlet
    Implementation-Version: 3.0.FR
    Implementation-Vendor: Apache Software Foundation
    红色字体就是servlet版本。  参考资料:查看servlet/jsp版本
    这种配置拦截器通过response给cookie添加HttpOnly属性、在某种情况下并太不合理、而且可能对项目有写影响、我的项目在这么做之后再Google浏览器没有问题,但在FF和IE上、发现了问题。我们项目页面用了tiles框架布局,在LoginAction登录返回到struts result配置跳转到tiles、teles再自己发送请求加载数据、问题就出现在这里、此时发送的请求与之前发送的请求现在为不同session、导致出错。屏蔽CookieFiter后没问题、因此猜想是因为HttpOnly属性的影响使session改变了。
     

    Tomcat配置Jsessionid HttpOnly属性

    在部分web项目中、基本没有手动操作的cookie、只有会话Tomcat的jsessionid的cookie。这中情况我们就可以通过Tomcat配置来实现jsessionid默认HttpOnly属性值。
    useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.

            Tomcat6官方文档

    useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.

    Tomcat7官方文档

    useHttpOnlyShould the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.

    从文档来看tomcat6及5.5useHttpOnly 默认是false、7则是默认true

    修改tomcat/conf/context.xml
    1. <Context <span style="rgb(255, 204, 51);">useHttpOnly="true"</span>></context>  
    <Context <span style="">useHttpOnly="true"</span>></context>
    修改tomcat/conf/web.xml
    1. <session-config>  
    2.         <session-timeout>30</session-timeout>  
    3.     <span style="rgb(255, 204, 51);"><cookie-config>  
    4.             <http-only>true</http-only>  
    5.         </cookie-config></span>  
    6.     </session-config>  
    <session-config>
            <session-timeout>30</session-timeout>
    	<span style=""><cookie-config>
                <http-only>true</http-only>
            </cookie-config></span>
        </session-config>
    网上大部分资料只配置以上、但实测却发现没有
    其实、还要配置secure属性
    修改tomcat/conf/server.xml
    1. <Connector port="8080" protocol="HTTP/1.1"  
    2.                connectionTimeout="20000"  
    3.                redirectPort="8443" <span style="rgb(255, 204, 51);">secure="true"</span>/>  
    <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" <span style="">secure="true"</span>/>
    给8080端口启用安全、这样启动Tomcat访问项目发现HttpOnly及secure属性都已经启动
  • 相关阅读:
    Webpack2 那些路径
    Nginx alias 和 root配置
    前端代码监控
    Class和构造函数的异同
    Async和await
    如何在git中删除指定的文件和目录
    微信小程序数字转化条形码和二维码
    vue 结合swiper插件实现广告公告上下滚动的效果
    vue2.0 结合better-scroll 实现下拉加载
    FormData对象提交表单和form提交表单
  • 原文地址:https://www.cnblogs.com/firstdream/p/8303057.html
Copyright © 2020-2023  润新知