在 JSESSIONID cookie 中设置 httponly (Java EE 5)
我正在尝试在 JSESSIONID cookie 上设置 httponly 标志。但是,我正在 Java EE 5 中工作,无法使用 setHttpOnly()。首先,我尝试使用 response.setHeader() 在 servlet 的 doPost() 中创建自己的 JSESSIONID cookie。
当这不起作用时,我尝试了 response.addHeader()。那也没用。然后,我了解到 servlet 处理将会话转换为 JSESSIONID cookie 并将其插入到 http 标头中,因此如果我想使用该 cookie,我必须编写一个过滤器。我编写了一个过滤器并在那里使用了 setHeader()/addHeader() ,但再次无济于事。
然后,我了解到响应对象在到达过滤器之前会进行一些刷新/关闭操作,因此如果我想操作数据,我需要扩展 HttpServletResponseWrapper 并将其传递给 filterChain.doFilter()。这已经完成,但我仍然没有得到结果。显然我做错了什么,但我不知道是什么。
我不确定这是否与当前的问题完全相关,但 servlet 没有将 html 文档返回到浏览器。实际发生的只是一些对象被填充并返回到 JSP 文档。我假设 Session 对象在发送到浏览器之前被转换为 JSESSIONID cookie 并与添加到请求中的对象一起包装在 http 标头中。
我很乐意发布一些代码,但我想首先排除我的困难源于对理论的误解的可能性。
I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader().
When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. I wrote a filter and played with setHeader()/addHeader() there, again to no avail.
Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapper and pass that to filterChain.doFilter(). This is done but I'm still not getting results. Clearly I'm doing something wrong but I don't know what.
I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. All that's really happening is that some objects are being populated and returned to a JSP document. I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser.
I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
由于
JSESSIONIDcookie 由 servletcontainer 管理,因此此设置是 servletcontainer 特定的。目前尚不清楚您使用的是哪一个,因此这里有一个 Apache Tomcat 6.0 目标答案,以便您知道您的方向必须查找您的 servlet 容器:您需要将 Web 应用程序的useHttpOnly属性设置为true。另请参阅有关
的 Tomcat 文档 ; Since the
JSESSIONIDcookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set theuseHttpOnlyattribute of the webapplication's<Context>element totrue.Also see this Tomcat documentation about the
<Context>element.您可以将其与 Java EE 5 一起使用:
对于 Java EE 6 之前的 Java Enterprise Edition 版本,常见的解决方法是使用显式附加 HttpOnly 标志的会话 cookie 值覆盖 SET-COOKIE http 响应标头:
来源:https://www.owasp.org/index.php/HttpOnly
我将其测试到过滤器中
You can use this with Java EE 5:
For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag:
Source : https://www.owasp.org/index.php/HttpOnly
I test it into a filter