漏洞修复：Cookie Security: HTTPOnly not Set on Application Cookie

描述

The web application does not utilize HTTP only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of a successful Cross-Site scripting attack by not allowing cookies with the HTTP only attribute to be accessed via client-side scripts. Recommendations include adopting a development policy that includes the utilization of HTTP only cookies, and performing other actions such as ensuring proper filtration of user-supplied data, utilizing client-side validation of user supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.

解决方案

nginx
在http下添加 HttpOnly是重点！
add_header Set-Cookie “Path=/; HttpOnly; Secure”;
例如：

http{
    add_header Set-Cookie "Path=/; HttpOnly; Secure";
}

shiro
在bean的name为sessionIdCookie和rememberMeCookie下增加
cookie.setSecure(true);
例如：

@Bean(name = "sessionIdCookie")
public SimpleCookie getSessionIdCookie() {
    SimpleCookie cookie = new SimpleCookie("sid");
    cookie.setHttpOnly(true);//加入这句
    cookie.setSecure(true);
    return cookie;
}

@Bean(name = "rememberMeCookie")
public SimpleCookie getRememberMeCookie() {
    SimpleCookie cookie = new SimpleCookie("rememberMe");
    cookie.setHttpOnly(true);//加入这句
    cookie.setSecure(true);
    return simpleCookie;
}

参考

https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.cookie_security_httponly_not_set_on_session_cookie

https://blog.miniasp.com/post/2009/11/26/Using-HttpOnly-flag-to-avoid-XSS-attack