系统进行漏洞扫描时,出现“加密会话(SSL)Cookie中缺少Secure属性”问题,如下图:
解决办法:
1)先配置请求到服务的协议(nginx到服务)schema为https;
2)添加filter设置,如下:
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException {
LogFactory.info("====> LoginCookieSecureFilter doFilter...");
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
String scheme = request.getScheme();
LogFactory.info("====> schema is: " + scheme);
if(!StringUtils.isEmpty(scheme) && HTTPS.equalsIgnoreCase(scheme)) {
response.setHeader("Set-Cookie", "JSESSIONID=" + request.getSession().getId() + "; Path=/cas;HttpOnly=true;Secure=true;");
}
chain.doFilter(request, response);
}
版权声明:本文为qq_36956015原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。