cookie 设置 httpOnly属性防止js读取cookie.

建立filter拦截器类

CookieHttpOnlyFilter

importjava.io.IOException;importjavax.servlet.Filter;importjavax.servlet.FilterChain;importjavax.servlet.FilterConfig;importjavax.servlet.ServletException;importjavax.servlet.ServletRequest;importjavax.servlet.ServletResponse;importjavax.servlet.http.Cookie;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjavax.servlet.http.HttpSession;/****<P>CookieにHTTPOnly属性を設定インターセプタークラス.</P>**@authorhnnc*@author$Author$*@version$Id$*/publicclassCookieHttpOnlyFilterimplementsFilter{/**{@inheritDoc}**/publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)throwsIOException,ServletException{if(!(requestinstanceofHttpServletRequest)){chain.doFilter(request,response);return;}HttpServletRequesthttpReq=(HttpServletRequest)request;HttpServletResponsehttpResp=(HttpServletResponse)response;Cookie[]cookies=httpReq.getCookies();if(cookies!=null){Cookiecookie=cookies[0];if(cookie!=null){HttpSessionsession=httpReq.getSession();if(session!=null){StringsessionId=session.getId();//httpの设置httpResp.addHeader("Set-Cookie","JSESSIONID="+sessionId+";Path=/admin;HttpOnly");//httpsの设置//httpResp.addHeader("Set-Cookie","JSESSIONID="+sessionId//+";Path=/admin;Secure;HttpOnly");}}}chain.doFilter(httpReq,httpResp);}/**{@inheritDoc}**/publicvoiddestroy(){}/**{@inheritDoc}**/publicvoidinit(FilterConfigfilterConfig)throwsServletException{}}


web.xml中配置拦截器

<filter><filter-name>CookieHttpOnly</filter-name><filter-class>jp.co.univ.www.admin.filter.CookieHttpOnlyFilter</filter-class></filter><filter-mapping><filter-name>CookieHttpOnly</filter-name><url-pattern>/*</url-pattern></filter-mapping>


参考:

http://conkeyn.iteye.com/blog/2025484


http://blog.csdn.net/a19881029/article/details/27536917