I need to restrict access to a cookie containing a session token so that javascript can't access it. Advice that was given was to set Secure and HttpOnly flags on the cookie.
I was having trouble with cookies not being set when using @ResponseBody, so I'm setting the cookies inside a HandlerInterceptor.
public class COOKIEFilter implements org.springframework.web.servlet.HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString());
cookie.setSecure(true);
// how do I set the http-only flag?
httpServletResponse.addCookie(cookie);
return true;
}
As shown in the chrome console, Secure is set, but not HTTP
I've tried adding parameters to web.xml under servlet 3.0 sepcification that allows for secure and http-only to be set on session cookies, but since I need to handle the session myself (Spring MVC application needs to remain stateless), that won't work for me.
Update:
I'm using Tomcat7, currently with Servlet 2.5 and Spring 3.2.8.
Aucun commentaire:
Enregistrer un commentaire