Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.3k views
in Technique[技术] by (71.8m points)

security - how to set httponly and session cookie for java web application

I am working on an XSS (cross site scripting) issue. My application runs on an Oracle Weblogic portal. We use Servlet version 2.5.

I have added the below 3 lines of code in the filter for setting httponly and secure cookies, and it is working fine.

String sessionid = req.getSession().getId();
res.setHeader("Set-Cookie", "JSESSIONID=" +  sessionid + ";HttpOnly");
res.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

The issue is when I logout and login immediately in the same browser. I am able to login, but after that, on the jsp pages I am getting a session timeout issue. We use weblogic related apis. The request.getuserprinical() api is returning null.. guess it is setting to null.

Please share any ideas.

If there are any other ways to set httponly or secure flag, please help.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.

If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

This is a better approach than manually hacking on the cookies with a filter.

FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...