HttpOnly的设置[通俗易懂]

大家好，又见面了，我是你们的朋友全栈君。

描述：

1.会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息，造成用户cookie信息泄露，增加攻击者的跨站脚本攻击威胁。

2.HttpOnly是微软对cookie做的扩展，该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。 

3.如果在Cookie中没有设置HttpOnly属性为true，可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息，如ASP.NET会话ID或Forms身份验证票证，攻击者可以重播窃取的Cookie，以便伪装成用户或获取敏感信息，进行跨站脚本攻击等。 

4.如果在Cookie中设置HttpOnly属性为true，兼容浏览器接收到HttpOnly cookie，那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息，这将有助于缓解跨站点脚本威胁。

解决方案：

CookieHttpOnlyFilter.java

1. package org._common.filter;

2.  

3. import java.io.IOException;

4. import java.text.SimpleDateFormat;

5. import java.util.Calendar;

6. import java.util.Date;

7. import java.util.Locale;

8.  

9. import javax.servlet.Filter;

10. import javax.servlet.FilterChain;

11. import javax.servlet.FilterConfig;

12. import javax.servlet.ServletException;

13. import javax.servlet.ServletRequest;

14. import javax.servlet.ServletResponse;

15. import javax.servlet.http.Cookie;

16. import javax.servlet.http.HttpServletRequest;

17. import javax.servlet.http.HttpServletResponse;

18. /**

19. * 解决检测到会话cookie中缺少HttpOnly属性的问题

20. * @author kf0101

21. *

22. */

23. public class CookieHttpOnlyFilter implements Filter {


24.  

25. public void destroy() {


26.  

27. }

28.  

29. public void doFilter(ServletRequest request, ServletResponse response,

30. FilterChain filterChain) throws IOException, ServletException {


31. // TODO Auto-generated method stub

32. HttpServletRequest req = (HttpServletRequest) request;

33. HttpServletResponse resp = (HttpServletResponse) response;

34. Cookie[] cookies = req.getCookies();

35. if(cookies!=null){


36. for(Cookie cookie : cookies){


37. String value = cookie.getValue();

38. StringBuilder builder = new StringBuilder();

39. builder.append("JSESSIONID=" + value + "; ");

40. builder.append("Secure; ");

41. builder.append("HttpOnly; ");

42. Calendar cal = Calendar.getInstance();

43. cal.add(Calendar.HOUR, 1);

44. Date date = cal.getTime();

45. Locale locale = Locale.CHINA;

46. SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);

47. builder.append("Expires=" + sdf.format(date));

48. resp.setHeader("Set-Cookie", builder.toString());

49. }

50. filterChain.doFilter(request, response);

51. }

52. }

53.  

54. public void init(FilterConfig arg0) throws ServletException {


55. // TODO Auto-generated method stub

56.  

57. }

58. }

web.xml：

1. <filter>

2. <filter-name>cookieHttpOnlyFilter</filter-name>

3. <filter-class>org._common.filter.CookieHttpOnlyFilter</filter-class>

4. </filter>

5. <filter-mapping>

6. <filter-name>cookieHttpOnlyFilter</filter-name>

7. <url-pattern>/*</url-pattern>

8. </filter-mapping>

 验证方式：查看浏览器设置（HttpOnly） Set-Cookie:  HttpOnly