HttpOnly cookies are a safe-line solution for cookies.
In browsers that support HttpOnly cookies (ie6+,ff3.0+), if the "HttpOnly" attribute is set in the cookie, the cookie information cannot be read through JavaScript scripts, which effectively prevents XSS attacks, Make website apps more secure.
However, the J2ee4,j2ee5 cookie does not provide a way to set the HttpOnly property, so if you need to set the HttpOnly property you need to handle it yourself.
ImportJavax.servlet.http.Cookie;ImportJavax.servlet.http.HttpServletResponse;/*** Cookie Tool Class*/PublicClassCookieutil {/*** Set HttpOnly Cookie *@paramResponse HTTP Response *@paramCookie Cookie Object *@paramWhether the ishttponly is HttpOnly*/PublicStaticvoid Addcookie (httpservletresponse response, Cookie cookie,Booleanishttponly) {String name = Cookie.getname ();//Cookie name String value = Cookie.getvalue ();//Cookie valueint maxAge = Cookie.getmaxage ();//Maximum time to live (milliseconds, 0 for delete, 1 for consistent with browser session) String Path = Cookie.getpath ();//Path String domain = Cookie.getdomain ();//DomainBoolean issecure = Cookie.getsecure ();//is the security protocol informationStringBuilder buffer =NewStringBuilder (); Buffer.append (name). Append ("="). Append (Value). Append (";");if (MaxAge = = 0{buffer.append ("Expires=thu Jan 08:00:00 CST 1970;")); }Elseif (MaxAge > 0) {buffer.append ("max-age="). Append (MaxAge). Append (";" ); if (domain! = null) {buffer.append ("domain="). Append (domain). append (";" ); if (path! = null) {buffer.append ("path="). Append (Path). Append (";" ); } if (issecure) {buffer.append ("secure;" ); } if (ishttponly) {buffer.append ("httponly;" ); } response.addheader ("Set-cookie", buffer.tostring ());}}
It is worth mentioning that the cookie in Java EE 6.0 can already be set httponly, so if it is a container compatible with Java EE 6.0 (for example, Tomcat 7), you can use the Cookie.sethttponly method to set the HttpOnly directly:
Cookie.sethttponly (true);
Java Settings HttpOnly Cookies