I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader().
我尝试在JSESSIONID cookie上设置httponly标志。但是,我在Java EE 5中工作,不能使用setHttpOnly()。首先,我尝试使用response.setHeader()从servlet的doPost()中创建自己的JSESSIONID cookie。
When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. I wrote a filter and played with setHeader()/addHeader() there, again to no avail.
当它不起作用时,我尝试response.addHeader()。这并没有奏效。然后,我了解到servlet处理了将会话转换为JSESSIONID cookie并将其插入到http头中,因此如果我想使用该cookie,我必须编写一个过滤器。我编写了一个过滤器,并在那里与setHeader()/addHeader()一起玩,同样没有任何效果。
Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapper and pass that to filterChain.doFilter(). This is done but I'm still not getting results. Clearly I'm doing something wrong but I don't know what.
然后,我了解到在响应对象到达过滤器之前有一些刷新/关闭操作,所以如果我想操作这些数据,我需要扩展HttpServletResponseWrapper并将其传递到filterChain.doFilter()。这已经完成了,但我还是没有得到结果。很明显我做错了什么,但我不知道是什么。
I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. All that's really happening is that some objects are being populated and returned to a JSP document. I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser.
我不确定这是否与当前的问题有关,但是servlet没有向浏览器返回html文档。真正发生的是,一些对象被填充并返回到JSP文档。我假定会话对象在发送到浏览器之前被转换为一个JSESSIONID cookie,并与添加到请求中的对象一起封装在一个http头中。
I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first.
我很乐意发布一些代码,但我想排除我的困难源于对理论的误解的可能性。
2 个解决方案
#1
10
Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true.
由于JSESSIONID cookie是由servletcontainer管理的,所以该设置是servletcontainer特有的。不清楚您使用的是哪个,因此这里有一个针对Apache Tomcat 6.0的答案,这样您就知道必须在哪个方向查找您的servletcontainer:您需要将webapplication的
<Context useHttpOnly="true">
...
</Context>
Also see this Tomcat documentation about the <Context> element.
还可以查看关于
#2
5
You can use this with Java EE 5:
您可以在Java EE 5中使用它:
For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag:
对于Java EE 6之前的Java企业版版本,一个常见的解决方案是使用会话cookie值覆盖SET-COOKIE http响应头,会话cookie值显式地附加HttpOnly标志:
String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Source : https://www.owasp.org/index.php/HttpOnly
来源:https://www.owasp.org/index.php/HttpOnly
I test it into a filter
我将它测试成一个过滤器
#1
10
Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true.
由于JSESSIONID cookie是由servletcontainer管理的,所以该设置是servletcontainer特有的。不清楚您使用的是哪个,因此这里有一个针对Apache Tomcat 6.0的答案,这样您就知道必须在哪个方向查找您的servletcontainer:您需要将webapplication的
<Context useHttpOnly="true">
...
</Context>
Also see this Tomcat documentation about the <Context> element.
还可以查看关于
#2
5
You can use this with Java EE 5:
您可以在Java EE 5中使用它:
For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag:
对于Java EE 6之前的Java企业版版本,一个常见的解决方案是使用会话cookie值覆盖SET-COOKIE http响应头,会话cookie值显式地附加HttpOnly标志:
String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Source : https://www.owasp.org/index.php/HttpOnly
来源:https://www.owasp.org/index.php/HttpOnly
I test it into a filter
我将它测试成一个过滤器