在做安全扫描的时候,会把Cookie中没有HttpOnly属性作为漏洞,需要处理,但是在低版本的Servlet API中并没有相关的设置方法,高版本可以直接使用Cookie对象的setHttpOnly(boolean httpOnly)方法进行设置,那么要解决这个问题,我们只能升级了吗?并不是,升级的代价可能会很大,所以本篇文章结合了新版本的API,可以直接为HttpServletResponse设置Set-Cookie响应头,我们自己来处理Cookie的拼接,代码如下:
import java.util.BitSet; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; /** * Cookie工具 * * @author jianggujin * */ public class JCookieUtils { private static final BitSet domainValid = new BitSet(128); static { for (char c = '0'; c <= '9'; c++) { domainValid.set(c); } for (char c = 'a'; c <= 'z'; c++) { domainValid.set(c); } for (char c = 'A'; c <= 'Z'; c++) { domainValid.set(c); } domainValid.set('.'); domainValid.set('-'); } public static void doSetCookie(HttpServletResponse response, String name, String value, int maxAgeInSeconds, String path, String domain, Boolean isHttpOnly) { Cookie cookie = new Cookie(name, value); cookie.setMaxAge(maxAgeInSeconds); // set the default path value to "/" if (path == null) { path = "/"; } cookie.setPath(path); if (domain != null) { cookie.setDomain(domain); } doSetCookie(response, cookie, isHttpOnly); } public static void doSetCookie(HttpServletResponse response, Cookie cookie, Boolean isHttpOnly) { StringBuilder header = new StringBuilder(); // TODO: Name validation takes place in Cookie and can not be configured // per Context. Moving it to here would allow per Context config // but delay validation until the header is generated. However, // the spec requires an IllegalArgumentException on Cookie // generation. header.append(cookie.getName()); header.append('='); String value = cookie.getValue(); if (value != null && value.length() > 0) { validateCookieValue(value); header.append(value); } // RFC 6265 prefers Max-Age to Expires so use Max-Age int maxAge = cookie.getMaxAge(); if (maxAge > -1) { // Negative Max-Age is equivalent to no Max-Age header.append(";Max-Age="); header.append(maxAge); } String domain = cookie.getDomain(); if (domain != null && domain.length() > 0) { validateDomain(domain); header.append(";domain="); header.append(domain); } String path = cookie.getPath(); if (path != null && path.length() > 0) { validatePath(path); header.append(";path="); header.append(path); } if (cookie.getSecure()) { header.append(";Secure"); } if (isHttpOnly != null && isHttpOnly) { header.append(";HttpOnly"); } response.addHeader("Set-Cookie", header.toString()); } private static void validateCookieValue(String value) { int start = 0; int end = value.length(); if (end > 1 && value.charAt(0) == '"' && value.charAt(end - 1) == '"') { start = 1; end--; } char[] chars = value.toCharArray(); for (int i = start; i < end; i++) { char c = chars[i]; if (c < 0x21 || c == 0x22 || c == 0x2c || c == 0x3b || c == 0x5c || c == 0x7f) { throw new IllegalArgumentException("无效的value值:" + Integer.toString(c)); } } } private static void validateDomain(String domain) { int i = 0; int prev = -1; int cur = -1; char[] chars = domain.toCharArray(); while (i < chars.length) { prev = cur; cur = chars[i]; if (!domainValid.get(cur)) { throw new IllegalArgumentException("无效的domain值:" + domain); } // labels must start with a letter or number if ((prev == '.' || prev == -1) && (cur == '.' || cur == '-')) { throw new IllegalArgumentException("无效的domain值:" + domain); } // labels must end with a letter or number if (prev == '-' && cur == '.') { throw new IllegalArgumentException("无效的domain值:" + domain); } i++; } // domain must end with a label if (cur == '.' || cur == '-') { throw new IllegalArgumentException("无效的domain值:" + domain); } } private static void validatePath(String path) { char[] chars = path.toCharArray(); for (int i = 0; i < chars.length; i++) { char ch = chars[i]; if (ch < 0x20 || ch > 0x7E || ch == ';') { throw new IllegalArgumentException("无效的path值:" + path); } } } }