宝塔服务器面板,一键全能部署及管理,送你10850元礼包,点我领取
描述:
1 .如果会话cookie缺少HttpOnly属性,攻击者可以通过程序(JS脚本、applet等)获取用户的cookie信息,从而泄露用户的cookie信息,增加攻击者跨站点脚本攻击的威胁
2.HttpOnly是微软对cookie的扩展,用于指定cookie是否可以通过客户端脚本访问。 MicrosoftInternetExplorer版本6ServicePack1或更高版本支持cookie属性HttpOnly。
3 .如果cookie没有将HttpOnly属性设置为true,则cookie可能会被偷。 被盗的cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID和Forms认证票证。 攻击者可以重播窃取的cookie,以冒充用户、获取敏感信息或进行跨站点脚本攻击。
4 .如果将cookie的HttpOnly属性设置为true,并且兼容浏览器接收到HttpOnlycookie,则客户端将无法通过程序(JS脚本、applet等)读取cookie信息
解决方案:
CookieHttpOnlyFilter.java
package org._common.filter; import java.io.IOException; 导入Java.text.simple date format; import java.util.Calendar; import java.util.Date; import java.util.Locale; 导入javax.servlet.filter; 导入javax.servlet.filter chain; 导入javax.servlet.filter config; 导入javax.servlet.servlet exception; 导入javax.servlet.servlet request; 导入javax.servlet.servlet response; 导入javax.servlet.http.cookie; import javax.servlet.http.http servlet请求; import javax.servlet.http.http无servlet保罗; /** *解决在会话cookie中检测到缺少HttpOnly属性的问题* @ author KF 0101 * */publicclasscookiehttponlyfilterimplementsfilter { public VF 0101 publicvoiddofilter (servletrequestrequest,servlet响应响应,过滤器通道过滤器通道) throws IOException, servlet exception//todo auto-generatedmethodstubhttpservletrequestreq=(http服务器请求)请求; http servlet响应响应=(http servlet响应)响应; cookie [ ] cookies=req.getcookies (if (cookies!=null () for ) cookiecookie:cookies ) { String value=cookie.getValue ); stringbuilder builder=new stringbuilder (; builder.append; ‘ jsessionid=’value ‘;’ ); builder.append(‘secure;’ ); bilder.append(‘httponly;’ ); calendar cal=calendar.getinstance (; cal.add(calendar.hour,1 ); Date date=cal.getTime (; Locale locale=Locale.CHINA; simpledateformatsdf=newsimpledateformat (DD-mm-yyyy hh : mm : ss ‘,locale ); bilder.append (‘ expires=’ SDF.format ) ) date ); resp.setheader(‘set-cookie ‘,builder.toString ) ); }filterchain.dofilter(request,response ); }公共void init (filter configarg0) throwsservletexception (/todo auto-generatedmethodstub ) ) h一分钟极速赛车靠谱平台if (cookies!=null () for ) cookiecookie:cookies ) { String value=cookie.getValue ); stringbuilder builder=new stringbuilder (; builder.append; ‘ jsessionid=’value ‘;’ ); builder.append(‘secure;’ ); bilder.append(‘httponly;’ ); calendar cal=calendar.getinstance (; cal.add(calendar.hour,1 ); Date date=cal.getTime (; Locale locale=Locale.CHINA; simpledateformatsdf=newsimpledateformat (DD-mm-yyyy hh : mm : ss ‘,locale ); bilder.append (‘ expires=’ SDF.format ) ) date ); resp.setheader(‘set-cookie ‘,builder.toString ) ); }filterchain.dofilter(request,response ); }公共void init (filter configarg0) throwsservletexception (/todo auto-generatedmethodstub ) ) http://www.Sina.com
filter filter-namecookiehttponlyfilter/filter-name filter-class org._ common.filter.cookiehttponlyfilter/过滤器过滤器过滤器-映射过滤器- namecookiehttponlyfilter/filter-name URL-pattern/*/URL-pattern/filter-mappponlyfilter
支付宝扫一扫
微信扫一扫
