Java development | setting the secure attribute of security Cookie

Posted by zulubanshee on Wed, 19 Jan 2022 01:54:44 +0100

Java development | setting the secure attribute of security Cookie

What is it and why do I care ?

Session} cookies (or cookies containing JSSESSIONID) refer to cookies used to manage session sessions of web applications The session ID identification of a specific user is saved in these cookies, and the same session ID and related data in the session life cycle are also saved on the server. The most commonly used session management method in web applications is to identify sessions by sending cookies to the server at each request.

You can set an additional secure ID to prompt the browser that cookies can only be transmitted through HTTPS (encrypted mode), but not HTTP (unencrypted mode). This method ensures that your session cookie is invisible to the attacker and avoids man in the middle Attack (MITM Attack for short). This is not a perfect session security management scheme, but an important step.

what should I do about it ?

The response is simple. You must add the secure flag to the session cookie (if possible, it is best to ensure that all cookies in the request are transmitted through Https)

The following is an example: a session cookie without a secure ID may be compromised

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H;

Add secure identity:

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H; secure;

The way is simple. You can even set this flag manually. If you are developing in Servlet3 or newer environment, you only need to set it on the web XML simple configuration. You just need to be on the web Add the following fragment to the XML:

 

<session-config>
  <cookie-config>
    <secure>true</secure>
  </cookie-config>
</session-config>

 

___________________________________________________________________________________________________

 

Java development | security section sets the HttpOnly attribute of cookies

https://coder-programming.blog.csdn.net/article/details/79074644?spm=1001.2101.3001.6650.6&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-6.queryctrv2&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-6.queryctrv2&utm_relevant_index=13

Description of HttpOnly property of Cookie

The two new attributes secure and httponly of cookies respectively mean that cookies can only be accessed through Http, cookies cannot be accessed through scripts, and httponly attributes can prevent XSS attacks to a certain extent (XSS attacks are similar to sql injection, and more information can be viewed on Baidu). In web applications, JSESSIONID (Cookie) does not set the Http attribute, which may steal or manipulate client sessions and cookies. They may be used to imitate a legitimate user, so that hackers can view or change user records and execute transactions as the user
The HttpOnly attribute of the cookie needs the support of the browser. At present, IE6 / FF3 0 and above are supported. In addition, Java EE 6 0 supports modification of HttpOnly, servlet3 API has also been added to the 0 specification.
 

Interceptor settings add

We can configure the interceptor to intercept all requests, and then add the HttpOnly attribute to the cookie
  1. public class CookieFilter implements Filter {  
  2.     public void doFilter(ServletRequest request, ServletResponse response,  
  3.             FilterChain chain) throws IOException, ServletException {  
  4.         HttpServletRequest req = (HttpServletRequest) request;  
  5.         HttpServletResponse resp = (HttpServletResponse) response;  
  6.   
  7.         Cookie[] cookies = req.getCookies();  
  8.   
  9.         if (cookies != null) {  
  10.                 Cookie cookie = cookies[0];  
  11.                 if (cookie != null) {  
  12.                     /*cookie.setMaxAge(3600); 
  13.                     cookie.setSecure(true); 
  14.                     resp.addCookie(cookie);*/  
  15.                       
  16.                     //Servlet 2.5 does not support setting HttpOnly property directly on cookies
  17.                     String value = cookie.getValue();  
  18.                     StringBuilder builder = new StringBuilder();  
  19.                     builder.append("JSESSIONID=" + value + "; ");  
  20.                     builder.append("Secure; ");  
  21.                     builder.append("HttpOnly; ");  
  22.                     Calendar cal = Calendar.getInstance();  
  23.                     cal.add(Calendar.HOUR, 1);  
  24.                     Date date = cal.getTime();  
  25.                     Locale locale = Locale.CHINA;  
  26.                     SimpleDateFormat sdf =   
  27.                             new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);  
  28.                     builder.append("Expires=" + sdf.format(date));  
  29.                     resp.setHeader("Set-Cookie", builder.toString());  
  30.                 }  
  31.         }  
  32.         chain.doFilter(req, resp);  
  33.     }  
  34.   
  35.     public void destroy() {  
  36.     }  
  37.   
  38.     public void init(FilterConfig arg0) throws ServletException {  
  39.     }  
  40. }  
This code is taken from CookieFilter Let's add the HttpOnly attribute to all cookie s.
Note: servlet3 is required There is a problem with 0 support and Tomcat7. To view the servlet version:
Know the servlet API in the Tomcat/lib folder Unzip the jar and open servlet API \ meta-inf \ manifest. Jar MF files (Editplus/NotePad + + and other tools are OK)
  1. Manifest-Version: 1.0  
  2. Ant-Version: Apache Ant 1.9.3  
  3. Created-By: 1.6.0_45-b06 (Sun Microsystems Inc.)  
  4. X-Compile-Source-JDK: 1.6  
  5. X-Compile-Target-JDK: 1.6  
  6.   
  7. Name: javax/servlet/  
  8. Specification-Title: Java API for Servlets  
  9. <span style="color:#ff0000;">Specification-Version: 3.0</span>  
  10. Specification-Vendor: Sun Microsystems, Inc.  
  11. Implementation-Title: javax.servlet  
  12. Implementation-Version: 3.0.FR  
  13. Implementation-Vendor: Apache Software Foundation  
The red font is the servlet version. References: View servlet/jsp version
This configuration interceptor adds the HttpOnly attribute to the cookie through the response. In some cases, it is unreasonable and may have a write impact on the project. My project has no problem with Google browser after doing so, but it has found problems on FF and IE. Our project page uses the tiles framework layout. After logging in LoginAction and returning to struts result configuration, we jump to tiles and teles, and then send a request to load data. The problem occurs here. At this time, the request sent is different from the request sent before, resulting in an error. There is no problem after masking the CookieFiter. Therefore, I guess the session is changed due to the influence of the HttpOnly attribute.
 

Tomcat configures the Jsessionid HttpOnly property

In some web projects, there are basically no manually operated cookie s and only the jsessionid of session Tomcat. In this case, we can implement the default HttpOnly attribute value of jssessionid through Tomcat configuration.
Tomcat5.5 official documents
useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.

Tomcat6 official documents

useHttpOnly Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to false.

Tomcat7 official documents

useHttpOnlyShould the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.

From the documentation, tomcat6 and 5.5useHttpOnly are false by default, and 7 is true by default

Modify Tomcat / conf / context xml
  1. <Context useHttpOnly="true"></context>  
Modify Tomcat / conf / Web xml
  1. <session-config>  
  2.         <session-timeout>30</session-timeout>  
  3.     <cookie-config>  
  4.             <http-only>true</http-only>  
  5.         </cookie-config> 
  6.  </session-config>  
Most of the information on the Internet is only configured above, but it is not found in the actual measurement
In fact, you also need to configure the secure attribute
Modify Tomcat / conf / server xml
  1. <Connector port="8080" protocol="HTTP/1.1"  
  2.                connectionTimeout="20000"  
  3.                redirectPort="8443" secure="true" />
Enable security for port 8080 and start the Tomcat access project. It is found that HttpOnly and secure properties have been started
 

 

Hot Topics

©2025 Programmer Think