The web application does not utilize HTTP only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of a successful Cross-Site scripting attack by not allowing cookies with the HTTP only attribute to be accessed via client-side scripts. Recommendations include adopting a development policy that includes the utilization of HTTP only cookies, and performing other actions such as ensuring proper filtration of user-supplied data, utilizing client-side validation of user supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.
解决方案nginx
在http下添加 HttpOnly是重点!
add_header Set-cookie “Path=/; HttpOnly; Secure”;
例如:
http{
add_header Set-cookie "Path=/; HttpOnly; Secure";
}
shiro
在bean的name为sessionIdcookie和rememberMecookie下增加
cookie.setSecure(true);
例如:
@Bean(name = "sessionIdcookie")
public Simplecookie getSessionIdcookie() {
Simplecookie cookie = new Simplecookie("sid");
cookie.setHttpOnly(true);//加入这句
cookie.setSecure(true);
return cookie;
}
@Bean(name = "rememberMecookie")
public Simplecookie getRememberMecookie() {
Simplecookie cookie = new Simplecookie("rememberMe");
cookie.setHttpOnly(true);//加入这句
cookie.setSecure(true);
return simplecookie;
}
参考
https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.cookie_security_httponly_not_set_on_session_cookie
https://blog.miniasp.com/post/2009/11/26/Using-HttpOnly-flag-to-avoid-XSS-attack
