检测到会话cookie中缺少HttpOnly属性

原创

gblfy 2022-09-06 08:04:39 博主文章分类：BUG ©著作权

文章标签 缺少HttpOnly java 解决方案 xml 文章分类 运维

©著作权归作者所有：来自51CTO博客作者gblfy的原创作品，请联系作者获取转载授权，否则将追究法律责任

解决方案01：在会话cookie中添加HttpOnly属性
具体操作步骤如下：

HttpServletResponse response2 = (HttpServletResponse)response;
response2.setHeader( "Set-Cookie", "name=value; HttpOnly");

检测到会话cookie中缺少HttpOnly属性_缺少HttpOnly

解决方案02（建议使用）：在会话cookie中添加HttpOnly属性

具体操作步骤如下：

在项目中，com.gblfy.util包下，新建CookieFilter类

见附件：

package com.sinosoft.fis.util;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/**
 * 功能描述:
 * <p>
 *   1.Cookie 设置 httpOnly属性 Cookie 
 *   2.设置 httpOnly属性防止js读取cookie
 * </p>
 *
 * @author gblfy
 */
public class CookieHttpOnlyFilter implements Filter {

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {
    if (!(request instanceof HttpServletRequest)) {
      chain.doFilter(request, response);
      return;
    }
    HttpServletRequest httpReq = (HttpServletRequest) request;
    HttpServletResponse httpResp = (HttpServletResponse) response;
    Cookie[] cookies = httpReq.getCookies();
    if (cookies != null) {
      Cookie cookie = cookies[0];
      if (cookie != null) {
        HttpSession session = httpReq.getSession();
        if (session != null) {
          String sessionId = session.getId();
          // http设置
          httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId + "; Path=/fis; HttpOnly");
          // https设置
//                      httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId
//                              + "; Path=/admin;Secure; HttpOnly");
        }
      }
    }
    chain.doFilter(httpReq, httpResp);

  }

  public void destroy() {
  }

  public void init(FilterConfig filterConfig) throws ServletException {
  }

}

在web.xml中添加拦截器

<filter>
      <filter-name> CookieHttpOnly</filter-name>
      <filter-class> com.sinosoft.fis.util. CookieHttpOnlyFilter</filter-class>
    </filter>
  <filter-mapping>
      <filter-name> CookieHttpOnly</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

火狐测试结果：

检测到会话cookie中缺少HttpOnly属性_xml_02