使用javax.servlet 2.5设置httponly cookie

Question

这是一个设置cookie的函数:

public void addCookie(String cookieName, String cookieValue, Integer maxAge, HttpServletResponse response) {
    Cookie cookie = new Cookie(cookieName, cookieValue);
    cookie.setPath("/mycampaigns");
    cookie.setSecure(isSecureCookie);
    cookie.setMaxAge(maxAge);
    response.addCookie(cookie);
}

我相信servlet 3.0,有一种方法可以直接执行此操作.不幸的是,我的组织在这个时刻使用2.5和UPGRADING不是一个选项.

有没有办法使用响应来设置cookie？这是我在网上找到的一个例子

response.setHeader("SET-COOKIE", "[SOME STUFF]" +"; HttpOnly")

如果这是我想要的唯一方法,那么我将取代"[SOME STUFF]"以便我不会丢失我的功能当前存储在cookie中的任何数据？

Answer 1

你是对的,手动设置标题是实现目标的正确方法.

您还可以使用javax.ws.rs.core.NewCookie或任何其他具有有用toString方法的类将cookie打印到标题以使事情更简单.

public static String getHttpOnlyCookieHeader(Cookie cookie) {

    NewCookie newCookie = new NewCookie(cookie.getName(), cookie.getValue(), 
            cookie.getPath(), cookie.getDomain(), cookie.getVersion(), 
            cookie.getComment(), cookie.getMaxAge(), cookie.getSecure());

    return newCookie + "; HttpOnly";
}

用法:

response.setHeader("SET-COOKIE", getHttpOnlyCookieHeader(myOriginalCookie));

Answer 2

此代码无需使用即可工作response.setHeader()：

public void addCookie(String cookieName, String cookieValue, Integer maxAge, HttpServletResponse response) {  
    Cookie cookie = new Cookie(cookieName, cookieValue);
    cookie.setPath("; HttpOnly;");
    cookie.setSecure(isSecureCookie);
    cookie.setMaxAge(maxAge);
    response.addCookie(cookie);
}

Answer 3

对于 JEE 6 之前的 Java Enterprise Edition 版本（例如 Servlet 2.5），您可以在 OWASP 找到解决方法。下面是一个例子：

    /**
     * Issue a cookie to the browser
     * 
     * @param response
     * @param cookieName
     * @param cookieValue
     * @param cookiePath
     * @param maxAgeInSeconds
     */
    public static void issueCookieHttpOnly(HttpServletResponse response, 
            String cookieName, 
            String cookieValue, 
            String cookiePath, 
            long maxAgeInSeconds) {

        Date expireDate= new Date();
        expireDate.setTime (expireDate.getTime() + (1000 * maxAgeInSeconds));
        // The following pattern does not work for IE.
        // DateFormat df = new SimpleDateFormat("dd MMM yyyy kk:mm:ss z");

        // This pattern works for Firefox, Chrome, Safari and Opera, as well as IE.
        DateFormat df = new SimpleDateFormat("EEE, dd-MMM-yyyy kk:mm:ss z");
        df.setTimeZone(TimeZone.getTimeZone("GMT"));
        String cookieExpire = df.format(expireDate);

        StringBuilder sb = new StringBuilder(cookieName);
        sb.append("=");
        sb.append(cookieValue);
        sb.append(";expires=");
        sb.append(cookieExpire);
        sb.append(";path=");
        sb.append(cookiePath);
        sb.append(";HttpOnly");

        response.setHeader("SET-COOKIE", sb.toString());
    }