阿里機測的系統漏洞(懶得打字,給報告部分截圖):
問題解決:
過濾器處理一下就行了
CookieFilter.java
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Servlet Filter implementation class CookieFilter
*
* 解決 Cookie未設置HttpOnly && Cookie未設置Secure標識 問題
*
* @author xiaheshun
*/
public class CookieFilter implements Filter {
/**
* Default constructor.
*/
public CookieFilter() {
// TODO Auto-generated constructor stub
}
/**
* @see Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append(cookie.getName()+"="+value+";");
builder.append("Secure;");//Cookie設置Secure標識
builder.append("HttpOnly;");//Cookie設置HttpOnly
// Calendar cal = Calendar.getInstance();
// cal.add(Calendar.HOUR, 1);
// Date date = cal.getTime();
// Locale locale = Locale.CHINA;
// SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
// builder.append("Expires="+sdf.format(date));
resp.addHeader("Set-Cookie", builder.toString());
}
}
chain.doFilter(request, response);
}
/**
* @see Filter#init(FilterConfig)
*/
public void init(FilterConfig fConfig) throws ServletException {
// TODO Auto-generated method stub
}
}
web.xml
<!--xiaheshun 阿里雲檢測漏洞問題 解決 Cookie設置HttpOnly && Cookie設置Secure標識 -->
<filter>
<filter-name>cookieFilter</filter-name>
<filter-class>com.hxptp.filter.CookieFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cookieFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
解決成果:
此處不列舉自己公司的截圖,用蘑菇街的截圖。
可能遇到的小小坑…也可能就我碰到的。
在設置Set-Cookie的時候,用addHeader,如果用setHeader的話,就只是設置一個cookie值得頭信息限制,其實在平時會有很多cookie里的主要參數信息需要限制,有的消息也會有不同的瀏覽器可以存儲的時間,所有要一個一個遍歷出來設置Cookie的信息。
代碼中有設置過期時間的,注釋掉了,需要的時候,可以拿出來用。
————————————————
版權聲明:本文為CSDN博主「XiaHeShun」的原創文章,遵循CC 4.0 BY-SA版權協議,轉載請附上原文出處鏈接及本聲明。
原文鏈接:https://blog.csdn.net/XiaHeShun/java/article/details/83339072