Chr*_*her 18 java servlets glassfish java-ee java-ee-6
默认情况下,Glassfish v3不会在会话cookie上设置httpOnly标志(与往常一样创建时request.getSession()).
我知道,有一种方法javax.servlet.SessionCookieConfig.setHttpOnly(),但我不确定,如果这是最好的方法,如果是的话,最好的地方就是放置那条线.
顺便说一句,当然不能在servlet本身中完成(例如在init()中):
java.lang.IllegalStateException: PWC1426:
Unable to configure httpOnly session tracking cookie property for
servlet context /..., because this servlet context has already been initialized
通常,我更喜欢在web.xml中使用配置选项.
Pas*_*ent 23
这是通过Servlet 3.0支持的web.xml(参见参考资料web-common_3_0.xsd):
<web-app>
<session-config>
<cookie-config>
<!--
Specifies whether any session tracking cookies created
by this web application will be marked as HttpOnly
-->
<http-only>true</http-only>
</cookie-config>
</session-config>
</web-app>
| 归档时间: |
|
| 查看次数: |
12038 次 |
| 最近记录: |