I'd like to add the HttpOnly flag to JSF/richfaces cookies, especially the session cookie, to up the level of security on my web app. Any ideas?
sblundy
问问题
3150 次
4 回答
1
FacesContext facesContext = FacesContext.getCurrentInstance().getFacesContext();
HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();
response.addHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");
于 2008-09-16T18:20:50.513 回答
1
可能有一些东西允许您在 servlet 引擎中执行此操作。这是尚未发布的 Servlet 3.0 规范的一部分。
于 2008-09-16T14:13:12.263 回答
0
Something like:
response.setHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");
might work in a Java environment. I am not aware of a JSF-specific way to achieve this... sorry
This seems to be not an easy task in Java.
于 2008-09-16T13:46:09.537 回答
0
I suspect that I'll need to use a filter to add a response wrapper, which'll add the flag to all cookies as they're added by the framework.
于 2008-09-16T14:54:13.897 回答