Java 设置 httponly cookie

Httponly cookie 是一种 cookie 安全解决方案。

在支持httponly cookie的浏览器（IE6+、FF3.0+）中，如果cookie中设置了“httponly”属性，则JavaScript脚本将无法读取cookie信息，可以有效防止XSS攻击，让网站应用更安全。

 

但是J2EE4、J2EE5 cookie不提供设置httponly属性的方法，所以如果需要设置httponly属性需要自己处理。

1. import javax.servlet.http.Cookie;
2. import javax.servlet.http.HttpServletResponse;
3.  
4. /**
5. * Cookie Tools
6. */
7. public class CookieUtil {
8.  
9. /**
10. * Set httponly cookie
11. * @param Response HTTP response
12. * @param Cookie cookie object
13. * @param Ishttponly is httponly
14. */
15. public static void addCookie(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) {
16. String name = cookie.getName();//Cookie name
17. String value = cookie.getValue();//Cookie value
18. int maxAge = cookie.getMaxAge();//Maximum survival time (milliseconds, 0 representative deletion, -1 represents the same as the browser session)
19. String path = cookie.getPath();//path
20. String domain = cookie.getDomain();//area
21. boolean isSecure = cookie.getSecure();//Is there a security protocol?
22.  
23. StringBuilder buffer = new StringBuilder();
24.  
25. buffer.append(name).append("=").append(value).append(";");
26.  
27. if (maxAge == 0) {
28. buffer.append("Expires=Thu Jan 01 08:00:00 CST 1970;");
29. } else if (maxAge > 0) {
30. buffer.append("Max-Age=").append(maxAge).append(";");
31. }
32.  
33. if (domain != null) {
34. buffer.append("domain=").append(domain).append(";");
35. }
36.  
37. if (path != null) {
38. buffer.append("path=").append(path).append(";");
39. }
40.  
41. if (isSecure) {
42. buffer.append("secure;");
43. }
44.  
45. if (isHttpOnly) {
46. buffer.append("HTTPOnly;");
47. }
48.  
49. response.addHeader("Set-Cookie", buffer.toString());
50. }
51.  
52. }

值得一提的是，Java Ee 6.0中的cookie已经设置了httponly，所以如果兼容Java EE 6.0兼容的容器（例如Tomcat 7），可以使用cookie.sethttponly设置HTTPONLY：

cookie.setHttpOnly(true);

Java HttpCookie 类的setHttpOnly(Boolean httpOnly) 方法用于指示cookie 是否可以被认为是HTTPOnly。如果设置为 true，则 cookie 不能被 JavaScript 等脚本引擎访问。

 

句法

 

public void setHttpOnly(boolean httpOnly)  

1.  

范围

上述方法只需要一个参数：

1. httpOnly - 如果 cookie 仅是 HTTP，则表示 true，这意味着它作为 HTTP 请求的一部分可见。

返回

不适用

示例 1

 

1. import java.net.HttpCookie;
2. public class JavaHttpCookieSetHttpOnlyExample1 {
3. public static void main(String[] args) {
4. HttpCookie cookie = new HttpCookie("Student", "1");
5. // Indicate whether the cookie can be considered as HTTP Only or not.
6. cookie.setHttpOnly(true);
7. // Return true if the cookie is considered as HTTPOnly.
8. System.out.println("Check whether the cookie is HTTPOnly: "+cookie.isHttpOnly());
9. }
10. }

 

输出：

Check whether the cookie is HTTPOnly: true

 

示例 2

 

1. import java.net.HttpCookie;
2. public class JavaHttpCookieSetHttpOnlyExample2 {
3. public static void main(String[] args) {
4. HttpCookie cookie = new HttpCookie("Student", "1");
5. // Indicate whether the cookie can be considered as HTTP Only or not.
6. cookie.setHttpOnly(false);
7. // Return false if the cookie is not considered as HTTPOnly.
8. System.out.println("Check whether the cookie is HTTPOnly: "+cookie.isHttpOnly());
9. }
10. }

 

输出：

Check whether the cookie is HTTPOnly: false

 

示例 3

 

1. import java.net.HttpCookie;
2. public class JavaHttpCookieSetHttpOnlyExample3 {
3. public static void main(String[] args) {
4. HttpCookie cookie1 = new HttpCookie("Student1", "1");
5. HttpCookie cookie2 = new HttpCookie("Student2", "2");
6. //Indicate whether the cookie can be considered as HTTP Only or not.
7. cookie1.setHttpOnly(true);
8. cookie2.setHttpOnly(false);
9. System.out.println("Check whether the first cookie is HTTPOnly:"+cookie1.isHttpOnly());
10. System.out.println("Check whether the second cookie is HTTPOnly:"+cookie2.isHttpOnly());
11. }
12. }

 

输出：

1. Check whether the first cookie is HTTPOnly:true
2. Check whether the second cookie is HTTPOnly:false