[已解决]设置Cookie SameSite = None在Chrome / JSP,JAVASCRIPT上不起作用

DJQTDJ

我正在研究JSP(tomcat6)应用程序。(域不同)

我试图将same-site属性设置为,None因为新版本的chrome浏览器在2分钟后Cookie消失了。(此修复程序的发布日期为2020年2月4日,网址为:https : //www.chromium.org/updates/same-site

我尝试通过以下方式解决问题,但仍无法正常工作

  • response.setHeader("Set-Cookie", "user=test;HttpOnly;Secure;SameSite=None");
  • response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None");
  • document.cookie = "witcher=Geralt; HttpOnly; SameSite=None; Secure";
  • <iframe src="https://service3.smartcapsule.jp/disp/ONECLICKCOMM.do"></iframe>
  • By using Pop-up windows

代码在这里

            document.form1.division2.value   = 1;
            document.form1.division3.value   = 1;
            document.form1.division4.value   = 1;
            document.form1.pan.value         = 4322423434232342;
            document.form1.expiryDate.value  = 0222;
            document.form1.jspName.value     = 'index.jsp';
            document.form1.method            = "post";
            document.cookie = "HttpOnly; SameSite=None; Secure";
            document.form1.action            = http://service3.smartcapsule.jp/disp/ONECLICKCOMM.do;

标头在这里

<html><body>
host=localhost:8080<br>
connection=keep-alive<br>
content-length=90<br>
cache-control=max-age=0<br>
origin=http://localhost:8080<br>
upgrade-insecure-requests=1<br>
dnt=1<br>
content-type=application/x-www-form-urlencoded<br>
user-agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4252.0 Safari/537.36<br>
accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br>
sec-fetch-site=same-origin<br>
sec-fetch-mode=navigate<br>
sec-fetch-user=?1<br>
sec-fetch-dest=document<br>
accept-encoding=gzip, deflate, br<br>
accept-language=en,q=0.9,q=0.8,ko;q=0.7,ja;q=0.6,q=0.5<br>
cookie=SameSite=None; Secure; aspGroupId=00000000; _ga=GA1.1.371271115.1600306707; _gid=GA1.1.1473986481.1600822923; JSESSIONID=15BA5A77A80B2C93969A44FE9371B135; _gat_UA-71516129-3=1; _token=8b234c913616b70c05100bb7fc141a33; _gat=1; arp_scroll_position=2986.363525390625<br>
</body></html>

-------------------------------------------------------------------------------------------
<html><body>
host=localhost:8080<br>
connection=keep-alive<br>
content-length=384<br>
cache-control=max-age=0<br>
origin=null<br>
upgrade-insecure-requests=1<br>
dnt=1<br>
content-type=application/x-www-form-urlencoded<br>
user-agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4252.0 Safari/537.36<br>
accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br>
sec-fetch-site=cross-site<br>
sec-fetch-mode=navigate<br>
sec-fetch-dest=document<br>
accept-encoding=gzip, deflate, br<br>
accept-language=en,q=0.9,q=0.8,ko;q=0.7,ja;q=0.6,q=0.5<br>
</body></html>

如果我不更改浏览器属性,应该如何解决?

disable 「SameSite by default cookies」 in chrome://flags

「20200924」我尝试了以下方法,但仍然丢失了cookie

Cookies.set('name', 'value', {
    sameSite: 'none',
    secure: true
})
response.setHeader("Set-Cookie", "user=mcmd;HttpOnly;Secure;SameSite=None");
document.cookie = "witcher=Geralt; SameSite=None; Secure";
public void doGet( HttpServletRequest request, HttpServletResponse response ) throws ServletException,IOException {
   response.setContentType("text/html;charset=Windows-31J");
   PrintWriter out = response.getWriter();
   out.println("<html><body>");
   Enumeration e = request.getHeaderNames();
   while( e.hasMoreElements() ) {
       String name = ( String )e.nextElement();
       out.println( name + "=" + request.getHeader( name ) + "<br>");
   }
   out.println("</body></html>");
}

document.cookie = "<%= s_cookies %>";
document.cookie = "witcher=Geralt; SameSite=None; Secure";
res.setHeader("Set-Cookie", "user=mcmd;HttpOnly;Secure;SameSite=None");
res.setHeader("Access-Control-Allow-Origin","*");
res.setHeader("Access-Control-Allow-Credentials","true");
crossDomain=true; withCredentials=true;Authorization; Max-Age=60*60*3600
<iframe src="https://service3.smartcapsule.jp/disp/ONECLICKCOMM.do"></iframe>
<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous">
</script>
<script>
    const apexUrl = 'localhost:8080';
    const forwardUrl = 'https://localhost:8080';
    alert(window.location.host);
    if (window.location.host === apexUrl) {
      window.location.host = forwardUrl;
    }
</script>
Google reCAPTCHA

我尝试了Ajax的「20201001」,但cookie仍然丢失了...


「20201012」已完成

最后,一切都顺利完成了问题解决了

Java代码在这里

import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;

@SuppressWarnings({"unused"})
public class CSRFCookieFilter implements Filter {

    public CSRFCookieFilter() {

    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        try {

            HttpServletRequest httpServletRequest = (HttpServletRequest)request;
            HttpServletResponse httpServletResponse = (HttpServletResponse) response;

            printCookie("OLD_COOKIES",httpServletRequest);

            ModifyHttpServletRequestWrapper mParametersWrapperRequest = new ModifyHttpServletRequestWrapper(httpServletRequest);
            Cookie[] cookies = mParametersWrapperRequest.getCookies();
            if (null != cookies) {
                for (Cookie cookie : cookies) {
                    if (!isCookieNullOrEmpty(cookie)) {
                        if(!cookie.getValue().contains(COOKIE_PARA_LIST[2])) {
                            cookie.setSecure(true);
                            mParametersWrapperRequest.putCookie(cookie.getName(), cookie.getValue() + COOKIE_PARA_LIST[1]);
                            httpServletResponse.addHeader("Set-Cookie", addCookieHeader(httpServletResponse, cookie, true));
                        }
                    }
                }
            }
            httpServletResponse.addHeader("Access-Control-Allow-Origin","*");
            httpServletResponse.addHeader("Access-Control-Allow-Credentials","true");

            printCookie("NEW_COOKIES",mParametersWrapperRequest);

            chain.doFilter(mParametersWrapperRequest, httpServletResponse);

        } catch (Throwable e) {
            System.out.println("CSRFCookieFilter Throwable "+e.getMessage());
            e.printStackTrace();
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        System.out.println("---------------------------------------->CSRFCookieFilter init():" + filterConfig.toString());
    }

    public static void clear() {
        System.out.println("---------------------------------------->CSRFCookieFilter clear()");
    }

    public void init() {
        System.out.println("---------------------------------------->CSRFCookieFilter init()");
    }

    public void destroy() {
        System.out.println("---------------------------------------->CSRFCookieFilter destroy()");
    }

/**********************************************************************************************************************/

    private class ModifyHttpServletRequestWrapper extends HttpServletRequestWrapper {

        private Map<String, String> mapCookies;

        ModifyHttpServletRequestWrapper(HttpServletRequest request) {
            super(request);
            this.mapCookies = new HashMap<>();
        }

        void putCookie(String name, String value) {
            this.mapCookies.put(name, value);
        }

        String covertResponseCookies(String add_properties){
            String ret = "";
            for (Map.Entry<String, String> entry : this.mapCookies.entrySet()) {
                String tmp = entry.getKey() + "=" + entry.getValue() + add_properties;
                println(tmp);
                ret = ret + tmp;
            }
            return ret;
        }

        @Override
        public Cookie[] getCookies() {
            HttpServletRequest request = (HttpServletRequest) getRequest();
            Cookie[] cookies = request.getCookies();
            if (mapCookies == null || mapCookies.isEmpty()) {
                return cookies;
            }
            if (cookies == null || cookies.length == 0) {
                List<Cookie> cookieList = new LinkedList<>();
                for (Map.Entry<String, String> entry : mapCookies.entrySet()) {
                    String key = entry.getKey();
                    if (key != null && !"".equals(key)) {
                        cookieList.add(new Cookie(key, entry.getValue()));
                    }
                }
                if (cookieList.isEmpty()) {
                    return cookies;
                }
                return cookieList.toArray(new Cookie[cookieList.size()]);
            } else {
                List<Cookie> cookieList = new ArrayList<>(Arrays.asList(cookies));
                for (Map.Entry<String, String> entry : mapCookies.entrySet()) {
                    String key = entry.getKey();
                    if (key != null && !"".equals(key)) {
                        for (int i = 0; i < cookieList.size(); i++) {
                            if (cookieList.get(i).getName().equals(key)) {
                                cookieList.remove(i);
                            }
                        }
                        cookieList.add(new Cookie(key, entry.getValue()));
                    }
                }
                return cookieList.toArray(new Cookie[cookieList.size()]);
            }
        }
    }

    public String addCookieHeader(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) {
        String name = cookie.getName();
        String value = cookie.getValue();
        int maxAge = cookie.getMaxAge();
        String path = cookie.getPath();
        String domain = cookie.getDomain();
        boolean isSecure = cookie.getSecure();

        StringBuilder buffer = new StringBuilder();
        buffer.append(name).append("=").append(value).append(";");
        if (0 == maxAge) {
            buffer.append("Expires=" + getExpiresDate() + ";");
        } else if (0 < maxAge) {
            buffer.append("Max-Age=").append(maxAge).append(";");
        }
        if (null != domain) {
            buffer.append("domain=").append(domain).append(";");
        }
        if (null != path) {
            buffer.append("path=").append(path).append(";");
        }
        if (isSecure) {
            buffer.append("secure;");
        }
        if (isHttpOnly) {
            buffer.append("HTTPOnly;");
        }
        buffer.append("SameSite=None;");
        return buffer.toString();
    }

/**********************************************************************************************************************/

    private static boolean DEBUG_MODE = false;
    private static void println(String args){
        if (DEBUG_MODE) System.out.println(args);
    }
    public static void printCookie(String targetHeader,HttpServletRequest req){
        if (!DEBUG_MODE) {
            return;
        }
        println("-----------------" + targetHeader + "-----------------------------");
        Cookie[] cookies = req.getCookies();
        if (null != cookies) {
            for (Cookie cookie : cookies) {
                println( cookie.getName() + ":" + cookie.getValue());
            }
        }
        println("-----------------" + targetHeader + "-----------------------------");
    }

/**********************************************************************************************************************/

    private String getExpiresDate(){
        Calendar cal = Calendar.getInstance();
        cal.add(Calendar.HOUR, 1);
        Date date = cal.getTime();
        Locale locale = Locale.CHINA;
        SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss", locale);
        return sdf.format(date);
    }

    public static boolean isCookieNullOrEmpty(Cookie cookie) {
        return null == cookie || null == cookie.getValue() || cookie.getValue().isEmpty();
    }

    static String[] COOKIE_PARA_LIST = {
              ";user=mcmd;Secure;HttpOnly;SameSite=None;"
            , ";Secure;HttpOnly;SameSite=None;"
            , "SameSite=None"
    };

    /**
     * document.cookie = "name=huang; secure";
     */
    public static Map<String,String> resetDocumentCookieSet(HttpServletRequest req,String param_amend_ment) {
        Map<String,String> requestMap = new HashMap<String,String>();
        Cookie[] cookies = req.getCookies();
        if (null != cookies) {
            for (Cookie cookie : cookies) {
                if (!isCookieNullOrEmpty(cookie)) {
                    if(!cookie.getValue().contains(COOKIE_PARA_LIST[2])) {
                        requestMap.put(cookie.getName() + "=" + cookie.getValue(), param_amend_ment);
                    }
                }
            }
        }
        return requestMap;
    }
/**********************************************************************************************************************/
}

JSP代码在这里

<%
            Map requestMap = CSRFCookieFilter.resetDocumentCookieSet(request,";Secure;HttpOnly;SameSite=None;");
            Set keys = requestMap.entrySet();
            Iterator it = keys.iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry)it.next();
                String new_cookies = ((String)entry.getKey()) + ((String)requestMap.get((String)entry.getKey()));
%>
                document.cookie = "<%= new_cookies %>";
<%
            }
%>

web.xml在这里

    <session-config>
     <cookie-config>
      <http-only>true</http-only>
     </cookie-config>
    </session-config>
DJQTDJ

请参考「20201012」的解决方案

    CSRFCookieFilter

本文收集自互联网,转载请注明来源。

如有侵权,请联系 [email protected] 删除。

编辑于
0

我来说两句

0 条评论
登录 后参与评论

相关文章

PHP:为Cookie属性SameSite = None设置标头; Secure根本不起作用

如何在 JSESSIONID Cookie 中设置 SameSite=None

在Azure Web App中未设置SameSite None cookie属性

如何在Apache 2.4和PHP 7.1的Chrome中解决跨站点Google Analytics(分析)Cookie“ SameSite = None”警告?

修复不起作用:设置了与跨站点资源关联的cookie,但未设置“ SameSite”属性

SameSite = none和不安全的HTTP Cookie无法在Chrome上运行

最新的Chrome 85使用SameSite = None并安全删除第三者Cookie

查找导致Chrome的SameSite警告的Cookie

与http://doubleclick.net/处的资源相关联的cookie设置为“ SameSite = None”,但未设置“安全”。Chrome的未来版本

如何告诉PHP对跨站点Cookie使用SameSite = None?

即使在设置sameSite:'none'和secure:对于MERN Stack Web应用程序为true后,Cookie也不会保存在chrome中

在ASP.NET中设置SameSite = None和安全

django-graphql-jwt JWT_COOKIE_SAMESITE 不起作用

如何为4.7.2(对于4.5.2)的.Net Framework设置cookie属性Samesite = None

如何解决我的Django 2.0应用程序上的“ Cookie csrftoken将很快被拒绝,因为它的sameSite属性设置为none”警告?

Chrome 80+设置了与跨站点资源关联的cookie,但未设置“ SameSite”属性。已被阻止

Chrome扩展程序不发送SameSite = Lax Cookie

Chrome控制台SameSite Cookie属性警告

Chrome 8中的Identity Server 4和SameSite Cookie问题

Google Chrome 上的 Samesite Cookie 更改破坏了我的插件

Chrome SameSite 新更改对旧 cookie 有何影响?

如何修复“将SameSite Cookie设置为无”警告?Chrome扩展程序

SameSite警告Chrome 77

使用Javascript加载脚本-在chrome上不起作用?

干净的 Javascript 选框在 Chrome 上不起作用

JavaScript Cookie在子域上不起作用

SameSite Cookie IIS

在哪里添加`SameSite = None`?

Cookie的“门户”将很快被拒绝,因为它的“ sameSite”属性设置为“ none”或无效值,而没有“ secure”属性