Httponly cookie 是一种 cookie 安全解决方案。
在支持httponly cookie的浏览器(IE6+、FF3.0+)中,如果cookie中设置了“httponly”属性,则JavaScript脚本将无法读取cookie信息,可以有效防止XSS攻击,让网站应用更安全。
但是J2EE4、J2EE5 cookie不提供设置httponly属性的方法,所以如果需要设置httponly属性需要自己处理。
import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; /** * Cookie Tools */ public class CookieUtil { /** * Set httponly cookie * @param Response HTTP response * @param Cookie cookie object * @param Ishttponly is httponly */ public static void addCookie(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) { String name = cookie.getName();//Cookie name String value = cookie.getValue();//Cookie value int maxAge = cookie.getMaxAge();//Maximum survival time (milliseconds, 0 representative deletion, -1 represents the same as the browser session) String path = cookie.getPath();//path String domain = cookie.getDomain();//area boolean isSecure = cookie.getSecure();//Is there a security protocol? StringBuilder buffer = new StringBuilder(); buffer.append(name).append("=").append(value).append(";"); if (maxAge == 0) { buffer.append("Expires=Thu Jan 01 08:00:00 CST 1970;"); } else if (maxAge > 0) { buffer.append("Max-Age=").append(maxAge).append(";"); } if (domain != null) { buffer.append("domain=").append(domain).append(";"); } if (path != null) { buffer.append("path=").append(path).append(";"); } if (isSecure) { buffer.append("secure;"); } if (isHttpOnly) { buffer.append("HTTPOnly;"); } response.addHeader("Set-Cookie", buffer.toString()); } }
值得一提的是,Java Ee 6.0中的cookie已经设置了httponly,所以如果兼容Java EE 6.0兼容的容器(例如Tomcat 7),可以使用cookie.sethttponly设置HTTPONLY:
cookie.setHttpOnly(true);
Java HttpCookie 类的setHttpOnly(Boolean httpOnly) 方法用于指示cookie 是否可以被认为是HTTPOnly。如果设置为 true,则 cookie 不能被 JavaScript 等脚本引擎访问。
public void setHttpOnly(boolean httpOnly)
上述方法只需要一个参数:
httpOnly - 如果 cookie 仅是 HTTP,则表示 true,这意味着它作为 HTTP 请求的一部分可见。
不适用
import java.net.HttpCookie; public class JavaHttpCookieSetHttpOnlyExample1 { public static void main(String[] args) { HttpCookie cookie = new HttpCookie("Student", "1"); // Indicate whether the cookie can be considered as HTTP Only or not. cookie.setHttpOnly(true); // Return true if the cookie is considered as HTTPOnly. System.out.println("Check whether the cookie is HTTPOnly: "+cookie.isHttpOnly()); } }
输出:
Check whether the cookie is HTTPOnly: true
import java.net.HttpCookie; public class JavaHttpCookieSetHttpOnlyExample2 { public static void main(String[] args) { HttpCookie cookie = new HttpCookie("Student", "1"); // Indicate whether the cookie can be considered as HTTP Only or not. cookie.setHttpOnly(false); // Return false if the cookie is not considered as HTTPOnly. System.out.println("Check whether the cookie is HTTPOnly: "+cookie.isHttpOnly()); } }
输出:
Check whether the cookie is HTTPOnly: false
import java.net.HttpCookie; public class JavaHttpCookieSetHttpOnlyExample3 { public static void main(String[] args) { HttpCookie cookie1 = new HttpCookie("Student1", "1"); HttpCookie cookie2 = new HttpCookie("Student2", "2"); //Indicate whether the cookie can be considered as HTTP Only or not. cookie1.setHttpOnly(true); cookie2.setHttpOnly(false); System.out.println("Check whether the first cookie is HTTPOnly:"+cookie1.isHttpOnly()); System.out.println("Check whether the second cookie is HTTPOnly:"+cookie2.isHttpOnly()); } }
输出:
Check whether the first cookie is HTTPOnly:true
Check whether the second cookie is HTTPOnly:false
以上是如何在Java中设置HttpOnly Cookie?的详细内容。更多信息请关注PHP中文网其他相关文章!