HttpOnly problem with request header cookie
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>javascript读取不到httpOnly属性值等于true的cookie</title>
<script type="text/javascript">
window.onload = function() {
var divNode = document.getElementById("showCookie");
divNode.innerHTML = "cookie如下:<br/>" + document.cookie;
}
</script>
</head>
<body style="background-color: #CCE8CF;">
<h2>javascript读取不到httpOnly属性值等于true的cookie</h2>
<div id="showCookie" style="background-color: Wheat; height: 200px;">
</div>
</body>
</html>
package com.test.servlet;
import java.io.IOException;
import java.util.Enumeration;
import java.util.UUID;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 测试Cookie的HttpOnly
*/
@WebServlet("/TestCookie")
public class TestCookie extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// String header = response.getHeader("Set-Cookie");
// System.out.println(header);
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
System.out.println(cookie.getName() + "=" + cookie.getValue() +",httpOnly=" + cookie.isHttpOnly());
System.out.println("Domain=" + cookie.getDomain() + ",Path=" + cookie.getPath());
System.out.println("-------------------------");
}
} else {
Cookie cookie = new Cookie("access_token", UUID.randomUUID().toString());
cookie.setHttpOnly(false);
cookie.setPath("/");
cookie.setDomain("localhost");
response.addCookie(cookie);
response.sendRedirect("http://localhost:8888" + request.getContextPath() + "/js.html");
}
// 获取所有请求头的名称
Enumeration<String> headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements())
{
String headerName = headerNames.nextElement();
// 获取每个请求、及其对应的值
System.out.println(headerName + " = " + request.getHeader(headerName));
}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
Visit http://localhost:8888/javaScript2021/TestCookie this Servlet address, the operation result is as follows:
access_token=3334b9fe-dcfe-4167-833f-92c9bd1210a9,httpOnly=false
Domain=null,Path=null
-------------------------
test_token=cc50861e-1682-4e7c-9a43-a2caacd9c57c,httpOnly=false
Domain=null,Path=null
-------------------------
my_id=8173206f-df14-4b35-8451-a883bae03de9,httpOnly=false
Domain=null,Path=null
-------------------------
host = localhost:8888
connection = keep-alive
cache-control = max-age=0
dnt = 1
upgrade-insecure-requests = 1
user-agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
accept = text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site = none
sec-fetch-mode = navigate
sec-fetch-user = ?1
sec-fetch-dest = document
accept-encoding = gzip, deflate, br
accept-language = zh-CN,zh;q=0.9
cookie = access_token=3334b9fe-dcfe-4167-833f-92c9bd1210a9; test_token=cc50861e-1682-4e7c-9a43-a2caacd9c57c; my_id=8173206f-df14-4b35-8451-a883bae03de9
The value of httpOnly obtained by the java server is always false. Is it strange?
The cookie is sent to the server through the cookie field in the request header. The server parses this cookie string and encapsulates it into Cookie[]. When the browser sends the cookie, only the key-value is sent, so the other fields of the Cookie are default values. , Boolean is false by default.