什么是HttpOnly
HttpOnly是包含在http返回頭Set-Cookie里面的一個附加的flag,所以它是后端服務器對cookie設置的一個附加的屬性,在生成cookie時使用HttpOnly標志有助於減輕客戶端腳本訪問受保護cookie的風險(如果瀏覽器支持的話)
下面的例子展示了如何設置Set-Cookie 返回頭的語法
Set-Cookie:
[; expires=
[; path=<some_path>][; secure][; HttpOnly]
如果HTTP響應標頭中包含HttpOnly標志(可選),客戶端腳本將無法訪問cookie(如果瀏覽器支持該標志的話)。因此即使客戶端存在跨站點腳本(XSS)漏洞,瀏覽器也不會將Cookie透露給第三方。
如果瀏覽器不支持HttpOnly,並且后端服務器嘗試設置HttpOnly cookie,瀏覽器也會忽略HttpOnly標志,從而創建傳統的,腳本可訪問的cookie。那么該cookie(通常是會話cookie)容易受到XSS攻擊
安全風險
可能會竊取或操縱客戶會話和 cookie,它們可能用於模仿合法用戶,從而使黑客能夠以該用戶身份查看或變更用戶記錄以及執行事務
解決方案01:在會話cookie中添加HttpOnly屬性
具體操作步驟如下:
HttpServletResponse response2 = (HttpServletResponse)response;
response2.setHeader( "Set-Cookie", "name=value; HttpOnly");
解決方案02(建議使用):在會話cookie中添加HttpOnly屬性
具體操作步驟如下:
在項目中,com.gblfy.util包下,新建CookieFilter類
見附件:
package com.sinosoft.fis.util;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* 功能描述:
* <p>
* 1.Cookie 設置 httpOnly屬性 Cookie
* 2.設置 httpOnly屬性防止js讀取cookie
* </p>
*
* @author gblfy
*/
public class CookieHttpOnlyFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
chain.doFilter(request, response);
return;
}
HttpServletRequest httpReq = (HttpServletRequest) request;
HttpServletResponse httpResp = (HttpServletResponse) response;
Cookie[] cookies = httpReq.getCookies();
if (cookies != null) {
Cookie cookie = cookies[0];
if (cookie != null) {
HttpSession session = httpReq.getSession();
if (session != null) {
String sessionId = session.getId();
// http設置
httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId + "; Path=/fis; HttpOnly");
// https設置
// httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId
// + "; Path=/admin;Secure; HttpOnly");
}
}
}
chain.doFilter(httpReq, httpResp);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) throws ServletException {
}
}
在web.xml中添加攔截器
<filter>
<filter-name> CookieHttpOnly</filter-name>
<filter-class> com.sinosoft.fis.util. CookieHttpOnlyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name> CookieHttpOnly</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
火狐測試結果:
谷歌測試結果:
