如何通过直接处理 Http 标头来使用 HttpOnly 更新 cookie JSESSIONID?
这是大局
我想将“HttpOnly”附加到 JSESSIONID Cookie,但我想手动执行此操作,意思是:
//create a new cookie
StringBuilder updatedCookie = new StringBuilder("JSESSIONID").append("=")
.append(sessionId).append("; Path=").append("/")
.append("; HttpOnly");
//save the cookie
response.setHeader("SET-COOKIE", updatedCookie.toString());
这是在映射到所有站点的 Servlet Filter 中完成的(过滤器的 url 模式为“/*”)
- 如何使该过滤器仅运行一次?也就是说,在登录时,或者
- 我是否真的必须在每个请求时运行并检查此 cookie 是否已被标记,如果答案为“是”则跳过?
有什么建议吗?
PS:
- 不要告诉我升级到Servlet 3.0,因为我现在做不到
- 忽略StringBuilder的不当使用和缺少变量sessionId
Here is the big picture
I want to append "HttpOnly" to the JSESSIONID Cookie, but I want to do this by hand, meaning:
//create a new cookie
StringBuilder updatedCookie = new StringBuilder("JSESSIONID").append("=")
.append(sessionId).append("; Path=").append("/")
.append("; HttpOnly");
//save the cookie
response.setHeader("SET-COOKIE", updatedCookie.toString());
This is done in a Servlet Filter, that is mapped to all the site (the filter has the url pattern as "/*")
- How can I make this filter run only once ? That is, at the login, or
- Do I really have to run at each request and check if this cookie has been already marked and skip if the answer is "yes" ?
Any suggestions ?
PS:
- Don't tell me to upgrade to Servlet 3.0 because I can't do that right now
- Ignore the improper use of the StringBuilder and missing variable sessionId
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不可能。会话可能已经预先创建。
理论上,你最好的地方是
HttpSessionListener#sessionCreated(),但这不会以任何方式向您提供HttpServletResponse对象,所以您迷路了。是的。然而,这应该特别便宜。
Not possible. The session might already have been created beforehand.
In theory, your best place is
HttpSessionListener#sessionCreated(), but this doesn't provide theHttpServletResponseobject to you in any way, so you're lost.Yes. This should however be particularly cheap.