在我当前的项目中,我们正在实现Android应用程序与服务器之间的会话处理。
现在,根据我们的设计,Android应用程序应仅接受HTTP Cookie并删除所有其他Cookie。
但是,在所有可用选项中,我找不到任何类或方法来帮助我确定cookie是否为HTTPOnly。
我以以下方式存储cookie:
connections = (HttpURLConnection) serverURL.openConnection();
// Setting cookies manager
java.net.CookieManager manager = new java.net.CookieManager();
manager.setCookiePolicy(new CookiePolicy() {
@Override
public boolean shouldAccept(URI uri, HttpCookie cookie) {
return cookie.getSecure();
}
});
CookieHandler.setDefault(manager);
connections.setDoInput(true);
connections.setDoOutput(true);
connections.setConnectTimeout(TIME_OUT);
connections.getOutputStream().write(data);
InputStream inputStream = connections.getInputStream();
CookieStore cookieJar = manager.getCookieStore();
if (cookieJar != null) {
List<HttpCookie> cookies = cookieJar.getCookies();
for (HttpCookie httpCookie : cookies) {
Log.i("yash", httpCookie.toString());
}
}
但这HttpCookie没有任何HTTPOnly方法。
通过一些谷歌浏览器,我发现RFC 6265具有HTTPOnly属性,它也使RFC 2965变得模糊。但是,为什么Google不支持此RFC 6265?
最佳答案
根据the class documentation,仅支持HttpOnly,但由于某种原因,此字段没有任何访问器或更改器。
为了能够访问和修改httpOnly字段,您应该使用反射:
// Workaround httpOnly (getter)
private boolean getHttpOnly() {
try {
Field fieldHttpOnly = cookie.getClass().getDeclaredField("httpOnly");
fieldHttpOnly.setAccessible(true);
return (boolean) fieldHttpOnly.get(cookie);
} catch (Exception e) {
// NoSuchFieldException || IllegalAccessException ||
// IllegalArgumentException
Log.w(TAG, e);
}
return false;
}
// Workaround httpOnly (setter)
private void setHttpOnly(boolean httpOnly) {
try {
Field fieldHttpOnly = cookie.getClass().getDeclaredField("httpOnly");
fieldHttpOnly.setAccessible(true);
fieldHttpOnly.set(cookie, httpOnly);
} catch (Exception e) {
// NoSuchFieldException || IllegalAccessException ||
// IllegalArgumentException
Log.w(TAG, e);
}
}