我在servlet版本3.0的项目上新增以下web.xml标注:
<session-config>
<cookie-config> <secure>true</secure> </cookie-config>
</session-config>
由于是第一次新增secure,为了保险,我还写了一个拦截器:
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for(Cookie cookie : cookies){
if (cookie != null) {
String value = cookie.getValue();
cookie.setValue("123465790");
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + "123465790" + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 1);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat(
"dd-MM-yyyy HH:mm:ss", locale);
builder.append("Expires=" + sdf.format(date));
resp.setHeader("Set-Cookie", builder.toString());
cookie.setSecure(true);
resp.addCookie(cookie);
}
}
}
chain.doFilter(req, resp);
但是浏览器显示的结果未达到预期:
为了查找原因我在jsp页面通过Java代码输出了request和response,并进行了断点,结果却是符合预期的:
request的cookie
response的cookie
很显然虽然request与response也略有不同但是secure却都是有的,这与浏览器显示的完全不一样,现在我就非常迷惘了,不知道哪位大佬可以帮忙解答下