会话 cookie 中缺少HttpOnly 属性 的问题

最近公司网站遭受攻击，请了专业的公司给做漏洞扫描，其中有一个漏洞问为“会话 cookie 中缺少HttpOnly 属性”，针对这个问题扫描公司给了相应的处理方法。方法如下：

在应用程序测试过程中，检测到所测试的 Web 应用程序设置了不含
“HttpOnly”属性的会话 cookie。由于此会话 cookie 不包含“HttpOnly”属性，因此
注入站点的恶意脚本可能访问此 cookie，并窃取它的值。任何存储在会话令牌中的
信息都可能被窃取，并在稍后用于身份盗窃或用户伪装。
解决方法：基本上，cookie 的唯一必需属性是“name”字段。常见的可选属性
如下：“comment”、“domain”、“path”，等等。必须相应地设置“HttpOnly”属性，才
能防止会话 cookie 被脚本访问。参考如下：
 package com.neusoft.streamone.framework.security.filter;

 import java.io.IOException;

 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;

 public class CookieHttpOnlyFilter implements Filter
{

 @Override
 public void destroy()
 {

 }

@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException
 {
 Cookie[] cookies = ((HttpServletRequest)request).getCookies();
 if(cookies!=null)
 {
 for(Cookie cookie : cookies){
 //tomcat7 支持该属性，tomcat6 不支持
 cookie.setHttpOnly(true);
 }
 }
 filterChain.doFilter(request, response);
 }

@Override
public void init(FilterConfig arg0) throws ServletException
 {

}

 }

但是由于公司网站的版本不支持tomcat7，故做了以下调整

package com.gtc.cms.filter;

import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class CookieHttpOnlyFilter implements Filter {
 
 public void destroy() {
  // TODO Auto-generated method stub

 }

 public void doFilter(ServletRequest request, ServletResponse response,
   FilterChain filterChain) throws IOException, ServletException {
  // TODO Auto-generated method stub
        HttpServletRequest req = (HttpServletRequest) request; 
        HttpServletResponse resp = (HttpServletResponse) response;
  Cookie[] cookies = req.getCookies();
   if(cookies!=null){
    for(Cookie cookie : cookies){
     //tomcat7 支持该属性，tomcat6 不支持
     String value = cookie.getValue(); 
              StringBuilder builder = new StringBuilder(); 
              builder.append("JSESSIONID=" + value + "; "); 
              builder.append("Secure; "); 
              builder.append("HttpOnly; "); 
              Calendar cal = Calendar.getInstance(); 
              cal.add(Calendar.HOUR, 1); 
              Date date = cal.getTime(); 
              Locale locale = Locale.CHINA; 
              SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale); 
              builder.append("Expires=" + sdf.format(date)); 
              resp.setHeader("Set-Cookie", builder.toString());
    }
    filterChain.doFilter(request, response);
   }
 }

 public void init(FilterConfig arg0) throws ServletException {
  // TODO Auto-generated method stub

 }
}

在web.xml设置

<filter> 
        <filter-name>cookieHttpOnlyFilter</filter-name> 
        <filter-class>com.gtc.cms.filter.CookieHttpOnlyFilter</filter-class>  
  </filter> 

<filter-mapping> 
        <filter-name>cookieHttpOnlyFilter</filter-name> 
        <url-pattern>/*</url-pattern>  
  </filter-mapping> 

在火狐上测试如下：