java过滤器给Cookie加上HttpOnly属性(亲测可以)
2021-10-14 本文已影响0人
在山的那边是海
描述:
1.会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息,造成用户cookie信息泄露,增加攻击者的跨站脚本攻击威胁。
2.HttpOnly是微软对cookie做的扩展,该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。
3.如果在Cookie中没有设置HttpOnly属性为true,可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID或Forms身份验证票证,攻击者可以重播窃取的Cookie,以便伪装成用户或获取敏感信息,进行跨站脚本攻击等。
4.如果在Cookie中设置HttpOnly属性为true,兼容浏览器接收到HttpOnly cookie,那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息,这将有助于缓解跨站点脚本威胁。
解决方案:
方案一:
CookieHttpOnlyFilter.java
package org._common.filter;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 解决检测到会话cookie中缺少HttpOnly属性的问题
* @author kf0101
*
*/
public class CookieHttpOnlyFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
Cookie[] cookies = req.getCookies();
if(cookies!=null){
for(Cookie cookie : cookies){
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
filterChain.doFilter(request, response);
}
}
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}
web.xml:
<filter>
<filter-name>cookieHttpOnlyFilter</filter-name>
<filter-class>org._common.filter.CookieHttpOnlyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cookieHttpOnlyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
验证方式:查看浏览器设置(HttpOnly) Set-Cookie: HttpOnly
打开网页,f12,刷新网页,如图:
在这里插入图片描述
方案二:
对secure-http-only属性的支持仅在http-servlet规范3上可用.检查web.xml中的version属性是否为“3.0”.
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
在项目的web.xml文件中设置属性,如下所示:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
