本文主要是介绍【系统安全】cookie未设置Httponly属性和未设置Secure标识,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
第三方公司做了系统安全测试,提出了这个问题。
详细描述 | 会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息,造成用户cookie信息泄露,增加攻击者的跨站脚本攻击威胁。 HttpOnly是微软对cookie做的扩展,该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。 如果在Cookie中没有设置HttpOnly属性为true,可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID或Forms身份验证票证,攻击者可以重播窃取的Cookie,以便伪装成用户或获取敏感信息,进行跨站脚本攻击等。 如果在Cookie中设置HttpOnly属性为true,兼容浏览器接收到HttpOnly cookie,那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息,这将有助于缓解跨站点脚本威胁。 |
解决办法 | 向所有会话cookie中添加“HttpOnly”属性。 Java示例: HttpServletResponse response2 = (HttpServletResponse)response; //response2.setHeader( "Set-Cookie", "name=value; HttpOnly"); response2.addHeader( "Set-Cookie", "name=value; HttpOnly"); |
解决方式:使用过滤器为每一个cookie添加HttpOnly
在web.xml中加入拦截器:
<!--cookie 设置httponly和secure--><filter><filter-name>cookieFilter</filter-name><filter-class>cn.**.**.**.security.CookieFilter</filter-class></filter><filter-mapping><filter-name>cookieFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>
CookieFilter.java内容如下:
public class CookieFilter implements Filter {public static final Logger logger = Logger.getLogger(CookieFilter.class);@Overridepublic void init(FilterConfig filterConfig) throws ServletException {logger.info("Cookie filter started.");}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) servletRequest;HttpServletResponse resp = (HttpServletResponse) servletResponse;Cookie[] cookies = req.getCookies();if(cookies != null) {StringBuilder builder = new StringBuilder();for(int i = 0; i < cookies.length; i++) {Cookie cookie = cookies[i];builder.append(cookie.getName() + "=" + cookie.getValue() + ";Secrue;HttpOnly;");//防止js读取cookiecookie.setHttpOnly(true);}//resp.setHeader("Set-Cookie", builder.toString());resp.addHeader("Set-Cookie", builder.toString());}filterChain.doFilter(req, resp);}@Overridepublic void destroy() {logger.info("Cookie filter finished.");}
}
在设置Set-Cookie的时候,用addHeader,如果用setHeader的话,就只是设置一个cookie值得头信息限制,其实在平时会有很多cookie里的主要参数信息需要限制,有的消息也会有不同的浏览器可以存储的时间,所有要一个一个遍历出来设置Cookie的信息。
另外:也可以设置过期时间。
public class CookieFilter implements Filter {public static final Logger logger = Logger.getLogger(CookieFilter.class);@Overridepublic void init(FilterConfig filterConfig) throws ServletException {logger.info("Cookie filter started.");}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) servletRequest;HttpServletResponse resp = (HttpServletResponse) servletResponse;Cookie[] cookies = req.getCookies();if(cookies != null) {StringBuilder builder = new StringBuilder();for(int i = 0; i < cookies.length; i++) {Cookie cookie = cookies[i];builder.append(cookie.getName() + "=" + cookie.getValue() + ";Secrue;HttpOnly;");//防止js读取cookiecookie.setHttpOnly(true);//设置过期时间Calendar cal = Calendar.getInstance();cal.add(Calendar.HOUR, 1);Date date = cal.getTime();Locale locale = Locale.CHINA;SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);builder.append("Expires="+sdf.format(date));}//resp.setHeader("Set-Cookie", builder.toString());resp.addHeader("Set-Cookie", builder.toString());}filterChain.doFilter(req, resp);}@Overridepublic void destroy() {logger.info("Cookie filter finished.");}
}
这篇关于【系统安全】cookie未设置Httponly属性和未设置Secure标识的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!