一、案例分析——Cookie设置HttpOnly,Secure,Expire属性
Tomcat版本为6.0.39,JDK版本为1.6update45
在Web工程上增加一个Filter对Cookie进行处理
public class CookieFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
Cookie cookie = cookies[0];
if (cookie != null) {
/*cookie.setMaxAge(3600);
cookie.setSecure(true);
resp.addCookie(cookie);*/
//Servlet 2.5不支持在Cookie上直接设置HttpOnly属性
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf =
new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(req, resp);
}
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
}
web.xml:
<filter>
<filter-name>cookieFilter</filter-name>
<filter-class>com.sean.CookieFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cookieFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
FireFox:
Chrome:
IE:
二、案例分析——cookie-resopnse对象addCookie和addHeader设置cookie区别
下面有两个具体的代码示例:
设置addCookie
@RequestMapping("/respAddCK")
@ResponseBody
public String respAddCK(@RequestBody UserInfoVo loginUser){
System.out.println("begin");
AppUser user = loginService.queryLoginUser(loginUser);
System.out.println("end");
Cookie ck = new Cookie("respAddCK",loginUser.getUsername());
response.addCookie(ck);
return "very good!";
}
设置addHeader
@RequestMapping("/respSetCK")
@ResponseBody
public String respSetCK(@RequestBody UserInfoVo loginUser){
System.out.println("begin");
AppUser user = loginService.queryLoginUser(loginUser);
System.out.println("end");
StringBuffer cookieBuf = new StringBuffer();
cookieBuf.append("respSetCK=").append(loginUser.getUsername()).append(";");
cookieBuf.append("Path=/; HttpOnly;");
response.addHeader("Set-Cookie",cookieBuf.toString());
return "very good!";
}
最终结果:
通过对比,发现都成功的设置了cookie,只不过具体值有差异,addHeader比addCookie灵活,可以设置的属性更多
三、案例分析——安全问题-Cookie未设置HttpOnly&&Cookie未设置Secure标识
阿里机测的系统漏洞(懒得打字,给报告部分截图):
问题解决:
过滤器处理一下就行了
CookieFilter.java
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Servlet Filter implementation class CookieFilter
*
* 解决 Cookie未设置HttpOnly && Cookie未设置Secure标识 问题
*
* @author xiaheshun
*/
public class CookieFilter implements Filter {
/**
* Default constructor.
*/
public CookieFilter() {
// TODO Auto-generated constructor stub
}
/**
* @see Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append(cookie.getName()+"="+value+";");
builder.append("Secure;");//Cookie设置Secure标识
builder.append("HttpOnly;");//Cookie设置HttpOnly
// Calendar cal = Calendar.getInstance();
// cal.add(Calendar.HOUR, 1);
// Date date = cal.getTime();
// Locale locale = Locale.CHINA;
// SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
// builder.append("Expires="+sdf.format(date));
resp.addHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(request, response);
}
/**
* @see Filter#init(FilterConfig)
*/
public void init(FilterConfig fConfig) throws ServletException {
// TODO Auto-generated method stub
}
}
web.xml
<!--xiaheshun 阿里云检测漏洞问题 解决 Cookie设置HttpOnly && Cookie设置Secure标识 -->
<filter>
<filter-name>cookieFilter</filter-name>
<filter-class>com.hxptp.filter.CookieFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cookieFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
解决成果:
此处不列举自己公司的截图,用蘑菇街的截图。
可能遇到的小小坑…也可能就我碰到的。
在设置Set-Cookie的时候,用addHeader,如果用setHeader的话,就只是设置一个cookie值得头信息限制,其实在平时会有很多cookie里的主要参数信息需要限制,有的消息也会有不同的浏览器可以存储的时间,所有要一个一个遍历出来设置Cookie的信息。
代码中有设置过期时间的,注释掉了,需要的时候,可以拿出来用。