2

I'd like to add the HttpOnly flag to JSF/richfaces cookies, especially the session cookie, to up the level of security on my web app. Any ideas?

4

4 回答 4

1
FacesContext facesContext = FacesContext.getCurrentInstance().getFacesContext();

HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();

response.addHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");
于 2008-09-16T18:20:50.513 回答
1

可能有一些东西允许您在 servlet 引擎中执行此操作。这是尚未发布的 Servlet 3.0 规范的一部分。

于 2008-09-16T14:13:12.263 回答
0

Something like:

response.setHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");

might work in a Java environment. I am not aware of a JSF-specific way to achieve this... sorry

This seems to be not an easy task in Java.

于 2008-09-16T13:46:09.537 回答
0

I suspect that I'll need to use a filter to add a response wrapper, which'll add the flag to all cookies as they're added by the framework.

于 2008-09-16T14:54:13.897 回答