Web项目:会话Cookie中缺少HttpOnly属性和secure属性

当会话Cookie中不含有HttpOnly属性和secure属性时,注入站点的恶意脚本可能访问此Cookie,并窃取它的值。任何存储在会话令牌中的信息都可能被窃取,并在稍后用于身份盗窃或用户伪装。

基本上,cookie 的唯一必需属性是“name”字段,必须设置“HttpOnly”属性,才能防止会话 cookie 被脚本访问。

解决方法:设立一个过滤器修改每次会话,为之添加”HostOnly”属性和“secure”属性。

package ...
public class ExampleFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;  
        HttpServletResponse resp = (HttpServletResponse) response; 
        Cookie[] cookies = req.getCookies();

        if(tomcat版本>=7) {
            for(Cookie cookie : cookies) {
                cookie.setHttpOnly(true);
                cookie.setSecure(true);
            }
        } else if(tomcat版本<=6) {
            for(Cookie cookie : cookies) {
                String value = cookie.getValue();  
                StringBuilder builder = new StringBuilder();  
                builder.append("JSESSIONID=" + value + "; ");  
                builder.append("Secure; ");  
                builder.append("HttpOnly; ");  
                Calendar cal = Calendar.getInstance();  
                cal.add(Calendar.HOUR, 1);  
                Date date = cal.getTime();  
                Locale locale = Locale.CHINA;  
                SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale); 
                builder.append("Expires=" + sdf.format(date));  
                resp.setHeader("Set-Cookie", builder.toString()); 
            }
        }
        chain.doFilter(request,response);
    }
}

你可能感兴趣的:(WEB)