cookie工具类，解决servlet3.0以前不能添加httpOnly属性的问题

来源：互联网发布：团购系统源码编辑：程序博客网时间：2024/05/29 03:34

最近在解决XSS注入的问题，由于使用的servlet版本是2.5，不支持httpOnly的属性，故做了个工具类来实现cookie的httpOnly的功能。全类如下：

/**

* cookie工具类，解决servlet3.0以前不能添加httpOnly属性的问题
*
* @author zhang-long
* @createTime 2013-6-20
*/
public class CookieUtil {
/**
*
* @param response HttpServletResponse类型的响应
* @param cookie 要设置httpOnly的cookie对象
*/
public static void addHttpOnlyCookie(HttpServletResponse response, Cookie cookie){
// 判断对象是否存在null的情况
if(checkObjIsNull(response) || checkObjIsNull(cookie)){
return;
}

//依次取得cookie中的名称、值、最大生存时间、路径、域和是否为安全协议信息
String cookieName = cookie.getName();
String cookieValue = cookie.getValue();
int maxAge = cookie.getMaxAge();
String path = cookie.getPath();
String domain = cookie.getDomain();
boolean isSecure = cookie.getSecure();

StringBuffer strBufferCookie = new StringBuffer();
strBufferCookie.append(cookieName + "=" + cookieValue + ";");

if(maxAge >= 0){
strBufferCookie.append("Max-Age=" + cookie.getMaxAge() + ";");
}

if(!checkObjIsNull(domain)){
strBufferCookie.append("domain=" + domain + ";");
}

if(!checkObjIsNull(path)){
strBufferCookie.append("path=" + path + ";");
}

if(isSecure){
strBufferCookie.append("secure;HTTPOnly;");
}else{
strBufferCookie.append("HTTPOnly;");
}

response.addHeader("Set-Cookie",strBufferCookie.toString());
}


private static boolean checkObjIsNull(Object obj){
if(obj == null){
return true;
}

return false;
}

}

使用举例：

Cookie cookie1=new Cookie("n","cookieValue1");
cookie1.setMaxAge(500);
Cookie cookie2=new Cookie("cookieName2","cookieValue2");
Cookie cookie3=new Cookie("cookieName3","cookieValue3");
cookie3.setSecure(true);
Cookie cookie4=new Cookie("cookieName4","cookieValue4");
cookie4.setSecure(true);

CookieUtil.addHttpOnlyCookie(response, cookie1);
CookieUtil.addHttpOnlyCookie(response, cookie2);
CookieUtil.addHttpOnlyCookie(response, cookie3);
CookieUtil.addHttpOnlyCookie(response, cookie4);

例子中红色的部分只有在应用使用了HTTPS协议的时候才能添加，否则这个cookie将再也无法读出！

添加成功后，查看cookie如下：