web.xml配置过滤器:
<!-- 向所有会话cookie中添加“HttpOnly”属性 -->
<filter>
<filter-name>HttpOnlyFilter</filter-name>
<filter-class>com.cssweb.common.admin.filter.HttpOnlyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpOnlyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
新建过滤器
package com.cssweb.common.admin.filter;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class HttpOnlyFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie != null) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
// set-cookie后,在ie浏览器下session失效,所以,不要这行代码了
// builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat(
"dd-MM-yyyy HH:mm:ss", locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
}
}
filterChain.doFilter(req, resp);
}
public void init(FilterConfig arg0) throws ServletException {
}
}
如何查看?
打开网页,f12,刷新网页,如图: