使用 Apache 将 HttpOnly 标志动态添加到 cookie 中?
所以我有一个 java webapp,它使用 tomcat 和 apache 代理层。我希望使应用程序设置的所有 cookie 都具有 httpOnly 标志。这样做的问题是 tomcat 负责从应用程序端设置标志,并且其默认值(在 servlet api 2.5 中)为 false。我希望我可以使用 apache 为所有 cookie 动态设置这个标志。
我一直在尝试不同的组合,我得到的最接近的是设置最后一个传递给 httpOnly 的 cookie,这当然是错误的:
Header append Set-Cookie "; HttpOnly"
我无法知道将从应用程序传递哪些 cookie/值。这可能吗?
So I have a java webapp that uses tomcat with an apache proxy layer. I'm looking to make all cookies set from the app have the httpOnly flag. The problem with this is that tomcat is responsible for setting the flag from the application side and its default (in servlet api 2.5) is false. I was hoping I could set this flag for all cookies on the fly using apache.
I've been trying different combinations and the closest I have gotten is setting the last cookie passed to httpOnly which is of course wrong:
Header append Set-Cookie "; HttpOnly"
I have no way of knowing what cookies/values are going to be passed from the app. Is this even possible?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
以下 mod_headers 重写的好处是,如果
HttpOnly已经存在,它就不会重复它,如果这类事情对您很重要的话:请参阅:
The following mod_headers rewrite has the benefit that it won't duplicate
HttpOnlyif it's already there, if that sort of thing matters to you:See:
尝试以下 mod_headers 指令。
Try the following mod_headers directive.