第一次遇到这样的问题,就想来记录下这个。
详细问题描述:
1.会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息,造成用户cookie信息泄露,增加攻击者的跨站脚本攻击威胁。
2.HttpOnly是微软对cookie做的扩展,该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。
3.如果在Cookie中没有设置HttpOnly属性为true,可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID或Forms身份验证票证,攻击者可以重播窃取的Cookie,以便伪装成用户或获取敏感信息,进行跨站脚本攻击等。
4.如果在Cookie中设置HttpOnly属性为true,兼容浏览器接收到HttpOnly cookie,那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息,这将有助于缓解跨站点脚本威胁。
那么我们该怎样去解决这个问题呢?很简单只需要一个拦截器即可:
代码如下:
CookieHttpOnlyFilter.java:
- package org._common.filter;
-
- import java.io.IOException;
- import java.text.SimpleDateFormat;
- import java.util.Calendar;
- import java.util.Date;
- import java.util.Locale;
-
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.Cookie;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
-
-
-
-
-
- public class CookieHttpOnlyFilter implements Filter {
-
- public void destroy() {
-
- }
-
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain filterChain) throws IOException, ServletException {
-
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
- Cookie[] cookies = req.getCookies();
- if(cookies!=null){
- for(Cookie cookie : cookies){
- String value = cookie.getValue();
- StringBuilder builder = new StringBuilder();
- builder.append("JSESSIONID=" + value + "; ");
- builder.append("Secure; ");
- builder.append("HttpOnly; ");
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.HOUR, 1);
- Date date = cal.getTime();
- Locale locale = Locale.CHINA;
- SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
- builder.append("Expires=" + sdf.format(date));
- resp.setHeader("Set-Cookie", builder.toString());
- }
- filterChain.doFilter(request, response);
- }
- }
-
- public void init(FilterConfig arg0) throws ServletException {
-
-
- }
- }
然后在配置文件中进行配置:
web.xml:
- <filter>
- <filter-name>cookieHttpOnlyFilter</filter-name>
- <filter-class>org._common.filter.CookieHttpOnlyFilter</filter-class>
- </filter>
-
- <filter-mapping>
- <filter-name>cookieHttpOnlyFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter>
然后我们来测试下用F12看下:
那么这样就好了。
或者页面这些添加