解决方案很简单。只需要在session cookie上添加HttpOnly标识就行了（最好是所有的cookie）。 下面是一个没有添加HttpOnly标识的session cookie： Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H; 添加HttpOnlyFlag标识之后： Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H; HttpOnly;
General developer forum. HttpOnly cookies. Hi All, I can share my own experience: the potential issue linked to enabling such restriction is to deny plug-ins like Flash and Java to access those...
SimpleCookie.java /* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership.
Sep 18, 2008 · However you can work aroud this weekness by implemeting a custome cookie which is HttpOnly and the same can be set and tracked by a Servlet Filter. First time when the session is established this (httpOnly) cookie also set and subsequent request will be rejected if it not submitted with this httpOnly cookie along with session cookie. A sample Filter is available here - http://rejeev.googlepages.com/HttpOnlyCookieFilter.java
Create a cookie string: String myCookie = "userId=igbrown"; Add the cookie to a request: Using the setRequestProperty(String name, String value); method, we will add a property named "Cookie", passing the cookie string created in the previous step as the property value. urlConn.setRequestProperty("Cookie", myCookie); Send the cookie to the server: