设置仅Http和谷歌App Engine的安全上的会话cookie标记(set httpOnly a

我需要设置的HttpOnly和谷歌应用程序引擎的会话cookie安全标志。

我想在下面web.xml ：

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>

然而，这并不工作。

我也试过这样在每一个JSP的顶部：

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

我怎样才能做到这一点？

Answer 1:

我曾与谷歌应用程序引擎同样的问题，但我想补充Secure属性，所有的cookies。下面显示了我如何添加Secure属性，所有的cookies。我几乎可以肯定，这种解决方案会为你工作只是代Secure与HttpOnly 。

我已经实现了一个安全过滤器，并提出了映射我想要的网页Secure属性进行设置。

<filter>
    <filter-name>Security Filter</filter-name>
    <filter-class>common.SecurityFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>Security Filter</filter-name>
    <url-pattern>*.jsf</url-pattern>
</filter-mapping>

我的第一次尝试是包裹响应到我的自定义HttpServletResponseWrapper 。一切正常，除了会话cookie没有得到属性。我调试了一圈，发现会话cookie没有使用我期望的机制增加。然后我注意到，你碰在会议结束后的会话cookie被神奇地加入到响应报头，例如头现在包括线Set-Cookie: JSESSIONID=abcdef;Path=/但使用包装对象中未添加该cookie我已经创建了。我已经想通了，我已经感动了会话后，我可以设置我想与我想要的属性的cookie。因此，解决方法很简单。

public class SecurityFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // wrap the response
        response = new SecureCookieSetter((HttpServletResponse)response);

        // touch the session
        (HttpServletRequest)request.getSession();

        // overwriting the cookie with Secure attribute set
        ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
    }
}

public class SecureCookieSetter extends HttpServletResponseWrapper {

    public SecureCookieSetter(HttpServletResponse response) {
        super(response);
    }

    @Override
    public void addCookie(Cookie cookie) {
        cookie.setSecure(true);
        super.addCookie(cookie);
    }

    @Override
    public void addHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
            value = value + ";Secure";
        }
        super.addHeader(name, value);
    }

    @Override
    public void setHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
            value = value + ";Secure";
        }
        super.setHeader(name, value);
    }

}

Answer 2:

我曾与谷歌App Engine的非常相同的问题，使用Java 7和Servlet 2.5，添加HttpOnly和Secure属性会话cookie。我跟着的@bat_venti答案 - 这帮助很大，谢谢！ - 但遇到了一些麻烦，使其工作，所以我张贴我自己的答案:)

我创建了一个SecurityFilter类应用会话cookie属性.jsp请求，就像下面：

import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import java.io.IOException;

public class SecurityFilter implements javax.servlet.Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}

    @Override
    public void destroy() {}

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // wrap the response
        response = new SecureCookieSetter((HttpServletResponse)response);

        // touch the session
        ((HttpServletRequest) request).getSession();

        // overwriting the cookie with Secure and HttpOnly attribute set
        ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");

        chain.doFilter(request, response);
    }

    public class SecureCookieSetter extends HttpServletResponseWrapper {

        public SecureCookieSetter(HttpServletResponse response) {
            super(response);
        }

        @Override
        public void addCookie(Cookie cookie) {
            cookie.setSecure(true);
            super.addCookie(cookie);
        }

        @Override
        public void addHeader(String name, String value) {
            if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
                value = value + ";Secure;HttpOnly";
            }
            super.addHeader(name, value);
        }

        @Override
        public void setHeader(String name, String value) {
            if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
                value = value + ";Secure;HttpOnly";
            }
            super.setHeader(name, value);
        }

    }
}

（我创建了SecureCookieSetter类内部，因为我只在此过滤器使用，但随时把它放在它自己的文件）。

在那之后，我编辑web.xml文件中使用的过滤器，每当一个.jsp是所需的文件：

<web-app>
...
    <filter>
        <filter-name>SecurityFilter</filter-name>
        <filter-class>path.to.my.filter.SecurityFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SecurityFilter</filter-name>
        <url-pattern>*.jsp</url-pattern>
    </filter-mapping>
...
</web-app>

（显然，更换path.to.my.filter为您的类文件的真实位置）。

Answer 3:

在我的情况是不是已经习惯了SecureCookieSetter类。我也有我的Java web应用程序运行到GAE。下面是这是在我的情况下工作正常的代码。同时其总是特别建议有其他安全相关的头就像最大年龄及其他如下。

package com.securityFilter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

import com.filters.XSSRequestWrapper;

public class SecurityFilter implements Filter   {

    protected static final Logger log = Logger.getLogger(SecurityFilter.class);

    private static final String PRAGMA_KEY = "Pragma";
    private static final String PRAGMA_VALUE = "no-cache";

    private static final String STRICT_TRANSPORT_KEY = "strict-transport-security";
    private static final String STRICT_TRANSPORT_VALUE = "max-age=604800";

    private static final String SET_COOKIE = "Set-Cookie";
    private static final String JSESSION_ID = "JSESSIONID=";
    private static final String HTTP_ONLY = ";Secure;HttpOnly";

    private static final String CACHE_CONTROL_KEY = "Cache-Control";
    private static final String CACHE_CONTROL_VALUE = "no-store";


    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        makeCookieSecured(response, httpServletRequest);    
        chain.doFilter(request, response);

    }

    private void makeCookieSecured(ServletResponse response,
            HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        HttpServletResponse httpResp = ((HttpServletResponse) response);
        if (cookies != null) {
            for(Cookie cookie :cookies){
                if("JSESSIONID".equals(cookie.getName())) {
                    cookie.setValue(httpServletRequest.getSession().getId() + HTTP_ONLY);
                    cookie.setSecure(true);
                    cookie.setPath("/");
                    cookie.setMaxAge(604800);
                }
            }
        }
        httpResp.setHeader(SET_COOKIE, JSESSION_ID + httpServletRequest.getSession().getId() + HTTP_ONLY);
        httpResp.setHeader(CACHE_CONTROL_KEY, CACHE_CONTROL_VALUE);
        httpResp.setHeader(PRAGMA_KEY, PRAGMA_VALUE);
        httpResp.setHeader(STRICT_TRANSPORT_KEY, STRICT_TRANSPORT_VALUE);
    }

    private void createJSONErrorResponse(ServletResponse response)
            throws IOException {
        response.setContentType("application/json");
        response.setCharacterEncoding("UTF-8");
        response.getWriter().write("Please provide valid input, You might have provided some special characters which is not allowed");
    }

    @Override 
    public void destroy() {
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
    }

}

文章来源: set httpOnly and secure flags on session cookie in Google App Engine