当会话Cookie中不含有HttpOnly属性和secure属性时,注入站点的恶意脚本可能访问此Cookie,并窃取它的值。任何存储在会话令牌中的信息都可能被窃取,并在稍后用于身份盗窃或用户伪装。
基本上,cookie 的唯一必需属性是“name”字段,必须设置“HttpOnly”属性,才能防止会话 cookie 被脚本访问。
解决方法:设立一个过滤器修改每次会话,为之添加”HostOnly”属性和“secure”属性。
package ...
public class ExampleFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
Cookie[] cookies = req.getCookies();
if(tomcat版本>=7) {
for(Cookie cookie : cookies) {
cookie.setHttpOnly(true);
cookie.setSecure(true);
}
} else if(tomcat版本<=6) {
for(Cookie cookie : cookies) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(request,response);
}
}