The HTTP session that maintains Java WebApp in A:tomcat is a cookie-based user status information stored on the server;
B: The server can customize the creation of cookie objects and attributes passed to the client;
Cookies established by the server if the HttpOnly attribute is not set, the client can read the contents of the cookie with JS (client script can read the session cookie content for such a CSRF/XSS malicious HTTP attack);
Method:
For httpsession security considerations, prevent client script from reading session cookie content for such CSRF/XSS malicious HTTP attacks, which can be configured in TOMCAT6 's conf/context.xml configuration file:
<context usehttponly= "true" >
Add the HttpOnly property for custom cookies and attributes, and you can add "HttpOnly" when Set-cookie header information is set
Verify:
1, the capture packet verifies the contents of any HTTP response, indeed any client-requested response contains "SET-COOKIE:JSESSIONID=717C91AF20E245B100EEFBF5EDDB29C3; Path=/monitor; HttpOnly ":
Get/monitor/http/1.1accept:image/gif, Image/jpeg, Image/pjpeg, Image/pjpeg, Application/x-shockwave-flash, */* accept-language:zh-cnuser-agent:mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; trident/4.0;. NET CLR 1.1.4322) accept-encoding:gzip, deflatehost:192.168.245.1connection:keep-alivehttp/1.1 200 OKSERVER:APACHE-COYOTE/1.1SET-COOKIE:JSESSIONID=717C91AF20E245B100EEFBF5EDDB29C3; Path=/monitor; Httponlyset-cookie:; httponlycontent-type:text/html;charset=utf-8content-length:2518date:wed, 08:14:42 GMT
2, Debug JS script on the browser side, do use Document.cookie to read the cookie object set on the server, the read content is empty:
Document.cookie ""
Tomcat sets the HttpOnly property for a cookie