cookie工具类,解决servlet3.0以前不能添加httpOnly属性的问题

最近在解决XSS注入的问题,由于使用的servlet版本是2.5,不支持httpOnly的属性,故做了个工具类来实现cookie的httpOnly的功能。全类如下:

/**

 * cookie工具类,解决servlet3.0以前不能添加httpOnly属性的问题
 *
 * @author zhang-long
 * @createTime 2013-6-20
 */
public class CookieUtil {
/**

* @param response HttpServletResponse类型的响应
* @param cookie 要设置httpOnly的cookie对象
*/
    public static void addHttpOnlyCookie(HttpServletResponse response, Cookie cookie){
    // 判断对象是否存在null的情况
    if(checkObjIsNull(response) || checkObjIsNull(cookie)){
    return;
    }
   
    //依次取得cookie中的名称、值、最大生存时间、路径、域和是否为安全协议信息
    String cookieName = cookie.getName();
    String cookieValue = cookie.getValue();
    int maxAge = cookie.getMaxAge();
    String path = cookie.getPath();
    String domain = cookie.getDomain();
    boolean isSecure = cookie.getSecure();
   
        StringBuffer strBufferCookie = new StringBuffer();
        strBufferCookie.append(cookieName + "=" + cookieValue +  ";");
        
        if(maxAge >= 0){
            strBufferCookie.append("Max-Age=" + cookie.getMaxAge() + ";");
        }
        
        if(!checkObjIsNull(domain)){
        strBufferCookie.append("domain=" + domain + ";");
        }
        
        if(!checkObjIsNull(path)){
        strBufferCookie.append("path=" + path + ";");
        }
        
        if(isSecure){
        strBufferCookie.append("secure;HTTPOnly;");
        }else{
        strBufferCookie.append("HTTPOnly;");
        }
        
        response.addHeader("Set-Cookie",strBufferCookie.toString());
    }
    
    
    private static boolean checkObjIsNull(Object obj){
    if(obj == null){
    return true;
    }
   
    return false;
    }

}


使用举例:


Cookie cookie1=new Cookie("n","cookieValue1"); 
cookie1.setMaxAge(500);
Cookie cookie2=new Cookie("cookieName2","cookieValue2"); 
Cookie cookie3=new Cookie("cookieName3","cookieValue3"); 
cookie3.setSecure(true);
Cookie cookie4=new Cookie("cookieName4","cookieValue4"); 
cookie4.setSecure(true);


CookieUtil.addHttpOnlyCookie(response, cookie1);
CookieUtil.addHttpOnlyCookie(response, cookie2);
CookieUtil.addHttpOnlyCookie(response, cookie3);
CookieUtil.addHttpOnlyCookie(response, cookie4);

例子中红色的部分只有在应用 使用了HTTPS协议的时候才能添加,否则这个cookie将再也无法读出!

添加成功后,查看cookie如下:



 

你可能感兴趣的:(servlet3.0)