httponly是一個防止JS盜取cookie的安全屬性,在抵抗XSS攻擊中起到了至關重要的作用!那麼如何通過代碼來爲沒有httponly屬性的添加呢?
JAVA添加httponly屬性:
對於javaee4、javaee5來說的話,是沒有httponly這個屬性的,就需要自己手動添加。
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
public class CookieUtil {
/**
* 設置HttpOnly Cookie
* @param response HTTP響應
* @param cookie Cookie對象
* @param isHTTPOnly 是否爲HttpOnly
*/
public static void addCookie(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) {
String name = cookie.getName();//Cookie名稱
String value = cookie.getValue();//Cookie值
int maxAge = cookie.getMaxAge();//最大生存時間(毫秒,0代表刪除,-1代表與瀏覽器會話一致)
String path = cookie.getPath();//路徑
String domain = cookie.getDomain();//域
boolean isSecure = cookie.getSecure();//是否爲安全協議信息
StringBuilder buffer = new StringBuilder();
buffer.append(name).append("=").append(value).append(";");
if (maxAge == 0) {
buffer.append("Expires=Thu Jan 01 08:00:00 CST 1970;");
} else if (maxAge > 0) {
buffer.append("Max-Age=").append(maxAge).append(";");
}
if (domain != null) {
buffer.append("domain=").append(domain).append(";");
}
if (path != null) {
buffer.append("path=").append(path).append(";");
}
if (isSecure) {
buffer.append("secure;");
}
if (isHttpOnly) {
buffer.append("HTTPOnly;");
}
response.addHeader("Set-Cookie", buffer.toString());
}
}
對於javaee6.0的話只需要
Cookie.setHttpOnly(true);
php添加httponly屬性:
對於php5.1以前的版本,只能通過header添加
<?php
header("Set_Cookie: hidden=value ; httpOnly");
?>
對於php5.2以上版本HttpOnly參數的設置
方法一:在php.ini中
session.cookie_httponly =
設置其值爲1或者TRUE,來開啓全局的Cookie的HttpOnly屬性
-----------------------------------------------------
方法二:在代碼中來開啓:
<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>
-----------------------------------------------------
方法三:Cookie操作函數setcookie函數和setrawcookie函數也專門添加了第7個參數來做爲HttpOnly的選項,開啓方法爲:
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
-------------------------------------------------------