HTTPOnly属性
如果cookie中设置了HTTPOnly属性,那么通过js脚本将无法读取cookie信息,能有效的防止XSS攻击,窃取cookie内容,增加cookie的安全性,即便是这样,也不要将重要信息存入cookie。
web.xml配置过滤器
<filter>
<filter-name>HttpOnlyFilter</filter-name>
<filterclass>com.attacht.web.filter.HttpOnlyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpOnlyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
过滤器代码
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
Cookie[] cookies = req.getCookies();
// 此方法适用于servlet3.0以下版本,3.0以上版本cookie可直接设置httpOnly属性
if (cookies != null) {
Cookie cookie = cookies[0];
String name = cookie.getName();
String value = cookie.getValue();
int maxAge = cookie.getMaxAge();
String path = cookie.getPath();
String domain = cookie.getDomain();
boolean isSecure = cookie.getSecure();
// 使用StringBuilder构建新的cookie
StringBuilder builder = new StringBuilder();
buffer.append(name).append("=").append(value).append(";");
if (maxAge == 0) {
buffer.append("Expires=Thu Jan 01 08:00:00 CST 1970;")
} else {
buffer.append("Max-Age=").append(maxAge).append(";");
}
if (domain != null){
buffer.append("domain=").append(domain).append(";");
}
if (path != null){
buffer.append("path=").append(path).append(";");
}
if (isSecure){
buffer.append("secure;");
}
buffer.append("HTTPOnly;");
// 该方法会删除request内的所有其他cookie
resp.setHeader("Set-Cookie", builder.toString());
}
}
}
// 这里要传修改后的req和resp,传request和response不生效
filterChain.doFilter(req, resp);
}
版权声明:本文为attacht原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。