问题
I'd like to add the HttpOnly flag to JSF/richfaces cookies, especially the session cookie, to up the level of security on my web app. Any ideas?
回答1:
There may be something that allows you to do this in your servlet engine. This is part of the Servlet 3.0 spec which is yet to be released.
回答2:
FacesContext facesContext = FacesContext.getCurrentInstance().getFacesContext();
HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();
response.addHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");
回答3:
Something like:
response.setHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");
might work in a Java environment. I am not aware of a JSF-specific way to achieve this... sorry
This seems to be not an easy task in Java.
回答4:
I suspect that I'll need to use a filter to add a response wrapper, which'll add the flag to all cookies as they're added by the framework.
来源:https://stackoverflow.com/questions/72304/how-do-i-set-the-httponly-flag-on-jsf-richfaces