详细描述 |
会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息,造成用户cookie信息泄露,增加攻击者的跨站脚本攻击威胁。
HttpOnly是微软对cookie做的扩展,该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。
如果在Cookie中没有设置HttpOnly属性为true,可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID或Forms身份验证票证,攻击者可以重播窃取的Cookie,以便伪装成用户或获取敏感信息,进行跨站脚本攻击等。
如果在Cookie中设置HttpOnly属性为true,兼容浏览器接收到HttpOnly cookie,那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息,这将有助于缓解跨站点脚本威胁。 |
解决办法 |
向所有会话cookie中添加“HttpOnly”属性。 Java示例: HttpServletResponse response2 = (HttpServletResponse)response; response2.setHeader( "Set-Cookie", "name=value; HttpOnly");
C#示例: HttpCookie myCookie = new HttpCookie("myCookie"); myCookie.HttpOnly = true; Response.AppendCookie(myCookie);
VB.NET示例: Dim myCookie As HttpCookie = new HttpCookie("myCookie") myCookie.HttpOnly = True Response.AppendCookie(myCookie) |
解决方式:使用过滤器为每一个cookie添加HttpOnly
在web.xml中加入拦截器:
<!-- Cookie中设置HttpOnly属性为true -->
<filter>
<filter-name>CookieFilter</filter-name>
<filter-class>com.zfsoft.filter.CookieFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CookieFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
CookieFilter.java内容如下:
/**
* 向所有会话cookie中添加“HttpOnly”属性
* @author dyq
* @date 20180628
*
*/
public class CookieHttpOnlyFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest Hrequest = (HttpServletRequest)request;
Cookie[] cookies=Hrequest.getCookies();
for(Cookie cookie:cookies){
/**
* //tomcat7 支持该属性,tomcat6不支持
* //cookie.setHttpOnly(true);
*/
//tomcat6
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
}
chain.doFilter(new StrutsRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}