Bagaimana untuk menetapkan HttpOnly Cookie di Java?

Kuki Httponly ialah penyelesaian keselamatan kuki.

Dalam penyemak imbas yang menyokong kuki httpsahaja (IE6+, FF3.0+), jika atribut "httponly" ditetapkan dalam kuki, skrip JavaScript tidak akan dapat membaca maklumat kuki, yang boleh menghalang dengan berkesan Serangan XSS dan membenarkan aplikasi Laman web lebih selamat.

Walau bagaimanapun, kuki J2EE4 dan J2EE5 tidak menyediakan kaedah untuk menetapkan atribut httponly, jadi jika anda perlu menetapkan atribut httponly, anda perlu mengendalikannya sendiri.

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
 
/**
 * Cookie Tools
 */
public class CookieUtil {
 
    /**
           * Set httponly cookie
     * @param  Response HTTP response
     * @param  Cookie cookie object
     * @param  Ishttponly is httponly
     */
    public static void addCookie(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) {
        String name = cookie.getName();//Cookie name
        String value = cookie.getValue();//Cookie value
        int maxAge = cookie.getMaxAge();//Maximum survival time (milliseconds, 0 representative deletion, -1 represents the same as the browser session)
        String path = cookie.getPath();//path
        String domain = cookie.getDomain();//area
        boolean isSecure = cookie.getSecure();//Is there a security protocol? 
 
        StringBuilder buffer = new StringBuilder();
 
        buffer.append(name).append("=").append(value).append(";");
 
        if (maxAge == 0) {
            buffer.append("Expires=Thu Jan 01 08:00:00 CST 1970;");
        } else if (maxAge > 0) {
            buffer.append("Max-Age=").append(maxAge).append(";");
        }
 
        if (domain != null) {
            buffer.append("domain=").append(domain).append(";");
        }
 
        if (path != null) {
            buffer.append("path=").append(path).append(";");
        }
 
        if (isSecure) {
            buffer.append("secure;");
        }
 
        if (isHttpOnly) {
            buffer.append("HTTPOnly;");
        }
 
        response.addHeader("Set-Cookie", buffer.toString());
    }
 
}

Perlu dinyatakan bahawa kuki dalam Java Ee 6.0 telah menetapkan http sahaja, jadi jika ia serasi dengan bekas serasi Java EE 6.0 (seperti Tomcat 7), anda boleh menggunakan cookie.sethttponly untuk set HTTPONLY:

cookie.setHttpOnly(true);

Kaedah setHttpOnly(Boolean httpOnly) kelas Java HttpCookie digunakan untuk menunjukkan sama ada kuki itu boleh dianggap HTTPOnly. Jika ditetapkan kepada benar, kuki tidak boleh diakses oleh enjin skrip seperti JavaScript.

Sintaks

public void setHttpOnly(boolean httpOnly)

Skop

Kaedah di atas hanya memerlukan satu parameter:

httpSahaja - benar jika kuki adalah HTTP sahaja, yang bermaksud Ia kelihatan sebagai sebahagian daripada permintaan HTTP.

Pulangan

Tidak berkenaan

Contoh 1

import java.net.HttpCookie;  
public class JavaHttpCookieSetHttpOnlyExample1 {  
  public static void main(String[] args) {  
    HttpCookie  cookie = new HttpCookie("Student", "1");  
    // Indicate whether the cookie can be considered as HTTP Only or not.  
        cookie.setHttpOnly(true);  
    // Return true if the cookie is considered as HTTPOnly.  
System.out.println("Check whether the cookie is HTTPOnly: "+cookie.isHttpOnly());  
     }  
 }

Output:

Semak sama ada kuki itu HTTPSahaja: benar

Contoh 2

import java.net.HttpCookie;  
public class JavaHttpCookieSetHttpOnlyExample2 {  
    public static void main(String[] args) {  
        HttpCookie  cookie = new HttpCookie("Student", "1");  
        // Indicate whether the cookie can be considered as HTTP Only or not.  
            cookie.setHttpOnly(false);  
        // Return false if the cookie is not considered as HTTPOnly.  
    System.out.println("Check whether the cookie is HTTPOnly: "+cookie.isHttpOnly());  
   }  
}

Output:

Semak sama ada kuki itu HTTPSahaja: palsu

Contoh 3

import java.net.HttpCookie;  
public class JavaHttpCookieSetHttpOnlyExample3 {  
    public static void main(String[] args) {  
        HttpCookie cookie1 = new HttpCookie("Student1", "1");  
        HttpCookie cookie2 = new HttpCookie("Student2", "2");  
        //Indicate whether the cookie can be considered as HTTP Only or not.  
        cookie1.setHttpOnly(true);  
        cookie2.setHttpOnly(false);  
        System.out.println("Check whether the first cookie is HTTPOnly:"+cookie1.isHttpOnly());  
        System.out.println("Check whether the second cookie is HTTPOnly:"+cookie2.isHttpOnly());  
       }  
    }

Output:

Semak sama ada kuki pertama HTTPOnly:true
Semak sama ada kuki kedua HTTPOnly:false

Atas ialah kandungan terperinci Bagaimana untuk menetapkan HttpOnly Cookie di Java?. Untuk maklumat lanjut, sila ikut artikel berkaitan lain di laman web China PHP!