安全问题-Cookie未设置HttpOnly&&Cookie未设置Secure标识

阿里机测的系统漏洞(懒得打字,给报告部分截图):

问题解决:

过滤器处理一下就行了

CookieFilter.java

import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet Filter implementation class CookieFilter
 * 
 * 解决 Cookie未设置HttpOnly  &&  Cookie未设置Secure标识  问题
 * 
 * @author xiaheshun
 */
public class CookieFilter implements Filter {

    /**
     * Default constructor. 
     */
    public CookieFilter() {
        // TODO Auto-generated constructor stub
    }

    /**
     * @see Filter#destroy()
     */
    public void destroy() {
        // TODO Auto-generated method stub
    }

    /**
     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest)request; 
        HttpServletResponse resp = (HttpServletResponse)response;
        Cookie[] cookies = req.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                String value = cookie.getValue();
                StringBuilder builder = new StringBuilder();
                builder.append(cookie.getName()+"="+value+";");
                builder.append("Secure;");//Cookie设置Secure标识
                builder.append("HttpOnly;");//Cookie设置HttpOnly
//                Calendar cal = Calendar.getInstance();
//                cal.add(Calendar.HOUR, 1);
//                Date date = cal.getTime();
//                Locale locale = Locale.CHINA;
//                SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
//                builder.append("Expires="+sdf.format(date));
                resp.addHeader("Set-Cookie", builder.toString());
                
            }
            
        }
        chain.doFilter(request, response);
    }

    /**
     * @see Filter#init(FilterConfig)
     */
    public void init(FilterConfig fConfig) throws ServletException {
        // TODO Auto-generated method stub
    }

}

web.xml

<!--xiaheshun 阿里云检测漏洞问题   解决   Cookie设置HttpOnly  &&  Cookie设置Secure标识  -->
    <filter>
        <filter-name>cookieFilter</filter-name>
        <filter-class>com.hxptp.filter.CookieFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>cookieFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

解决成果:

此处不列举自己公司的截图,用蘑菇街的截图。

 可能遇到的小小坑…也可能就我碰到的。

在设置Set-Cookie的时候,用addHeader,如果用setHeader的话,就只是设置一个cookie值得头信息限制,其实在平时会有很多cookie里的主要参数信息需要限制,有的消息也会有不同的浏览器可以存储的时间,所有要一个一个遍历出来设置Cookie的信息。

代码中有设置过期时间的,注释掉了,需要的时候,可以拿出来用。
————————————————
版权声明:本文为CSDN博主「XiaHeShun」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/XiaHeShun/java/article/details/83339072

Cookie cookie = new Cookie("COOKIE-API", null);
cookie.setHttpOnly(true);
cookie.setSecure(request.isSecure());
cookie.setMaxAge(0);
cookie.setPath("/");
boolean isSecure()

Returns a boolean indicating whether this request was made using a secure channel, such as HTTPS. 

Returns:
a boolean indicating if the request was made using a secure channel

结束。

原文地址:https://www.cnblogs.com/it-deepinmind/p/13070519.html