描述
This policy states that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that all cookies are sent via SSL during an SSL session. The URL: https://172.30.57.156:443/api-gateway/portal//api/properties/system-config/detail has failed this policy. If a cookie is marked with the "secure" attribute, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels
解决方案
nginx
在http下添加
add_header Set-Cookie “Path=/; HttpOnly; Secure”;
例如:
http{
add_header Set-Cookie "Path=/; HttpOnly; Secure";
}
shiro
在bean的name为sessionIdCookie和rememberMeCookie下增加
cookie.setSecure(true);
例如:
@Bean(name = "sessionIdCookie")
public SimpleCookie getSessionIdCookie() {
SimpleCookie cookie = new SimpleCookie("sid");
cookie.setHttpOnly(true);
cookie.setSecure(true);//加入这句
return cookie;
}
@Bean(name = "rememberMeCookie")
public SimpleCookie getRememberMeCookie() {
SimpleCookie cookie = new SimpleCookie("rememberMe");
cookie.setHttpOnly(true);
cookie.setSecure(true);//加入这句
return simpleCookie;
}
参考
https://vulncat.fortify.com/en/detail?id=desc.config.java.cookie_security_cookie_not_sent_over_ssl#Java%2FJSP
https://geekflare.com/httponly-secure-cookie-nginx/
https://www.twblogs.net/a/5e4e2e27bd9eee101df442bf
2011
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
