在 Servlet 3.0 投诉应用程序服务器中,我可以通过将以下内容添加到 web.xml 来设置 session cookie (JSESSIONID) 的 HttpOnly 和安全标志:
<session-config>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
但是,我正在开发的应用程序将部署在 Websphere 7 中,这是 Servlet 2.5 的问题,如果我将上述内容添加到 web.xml 中,它将无法启动
Websphere 7 配置中是否有任何其他声明方式或设置来打开 session cookie 的 HttpOnly 和安全标志?
如果没有,以编程方式实现这一目标的最佳方法是什么?
最佳答案
我认为在 WebSphere 7 中您可能必须深入研究管理控制台。与以往一样,WebSphere 文档似乎很差,但似乎建议设置 com.ibm.ws.security.addHttpOnlyAttributeToCookies属性:
Both the Secure flag and the HTTPOnly flag are enabled by setting the WebSphere Application Server property:
com.ibm.ws.security.addHttpOnlyAttributeToCookies.
我找到了this ,我希望它适用于WAS7。您可以尝试一下吗(我的系统上目前只有 WAS 8):
JSESSIONID cookie:
Secure Flag:
The Secure flag can be set within the WebSphere Application Server administrative interface by selecting AppServer->[Server Name]->Web Container Settings->Session Management. Check the checkbox for “Restrict cookies to HTTPS Sessions”.
HTTPOnly Flag:
The HTTPOnly attribute cannot currently be set on this cookie. This is registered on the IBM site as APAR PK98436. The fix for this APAR is currently targeted for inclusion in Fix Packs 6.1.0.31 and 7.0.0.9, which are not yet available. With this APAR in place, the HTTPOnly flag can be set on the JSESSIONID cookie by way of the property name: com.ibm.ws.webcontainer.httpOnlyCookies. Refer to the following technote for instructions on enabling WebContainer custom properties.
com.ibm.ws.webcontainer.httpOnlyCookies属性记录在 WAS 7 帮助站点上。
关于servlets - session cookie Websphere 7 的安全和 HttpOnly 标志,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9193112/