生活随笔
收集整理的這篇文章主要介紹了
检测到会话cookie中缺少HttpOnly属性
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
解決方案01:在會(huì)話cookie中添加HttpOnly屬性
具體操作步驟如下:
HttpServletResponse response2 = (HttpServletResponse)response;
response2.setHeader( "Set-Cookie", "name=value; HttpOnly");
解決方案02(建議使用):在會(huì)話cookie中添加HttpOnly屬性
具體操作步驟如下:
在項(xiàng)目中,com.gblfy.util包下,新建CookieFilter類
見附件:
package com.sinosoft.fis.util;import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;/*** 功能描述:* <p>* 1.Cookie 設(shè)置 httpOnly屬性 Cookie * 2.設(shè)置 httpOnly屬性防止js讀取cookie* </p>** @author gblfy*/
public class CookieHttpOnlyFilter implements Filter {public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {if (!(request instanceof HttpServletRequest)) {chain.doFilter(request, response);return;}HttpServletRequest httpReq = (HttpServletRequest) request;HttpServletResponse httpResp = (HttpServletResponse) response;Cookie[] cookies = httpReq.getCookies();if (cookies != null) {Cookie cookie = cookies[0];if (cookie != null) {HttpSession session = httpReq.getSession();if (session != null) {String sessionId = session.getId();// http設(shè)置httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId + "; Path=/fis; HttpOnly");// https設(shè)置
// httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId
// + "; Path=/admin;Secure; HttpOnly");}}}chain.doFilter(httpReq, httpResp);}public void destroy() {}public void init(FilterConfig filterConfig) throws ServletException {}}
在web.xml中添加攔截器
<filter><filter-name> CookieHttpOnly</filter-name><filter-class> com.sinosoft.fis.util. CookieHttpOnlyFilter</filter-class></filter><filter-mapping><filter-name> CookieHttpOnly</filter-name><url-pattern>/*</url-pattern></filter-mapping>
火狐測試結(jié)果:
谷歌測試結(jié)果:
漏洞2參考連接:
https://blog.51cto.com/10926470/1921232
https://blog.csdn.net/a19881029/article/details/27536917
總結(jié)
以上是生活随笔為你收集整理的检测到会话cookie中缺少HttpOnly属性的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò),歡迎將生活随笔推薦給好友。
