From badcf6e3cb40fac9ccc720c6f1d8965c60a088d1 Mon Sep 17 00:00:00 2001
From: xuxueli <931591021@qq.com>
Date: Mon, 25 Dec 2017 20:17:02 +0800
Subject: [PATCH] =?UTF-8?q?=E7=B3=BB=E7=BB=9F=E5=AE=89=E5=85=A8=E6=80=A7?=
 =?UTF-8?q?=E4=BC=98=E5=8C=96=EF=BC=8C=E7=99=BB=E9=99=86Token=E5=86=99Cook?=
 =?UTF-8?q?ie=E6=97=B6=E8=BF=9B=E8=A1=8CMD5=E5=8A=A0=E5=AF=86=EF=BC=8C?=
 =?UTF-8?q?=E5=90=8C=E6=97=B6Cookie=E5=90=AF=E7=94=A8HttpOnly=EF=BC=9B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/XXL-JOB官方文档.md                        |  2 +-
 .../interceptor/PermissionInterceptor.java    |  9 +++--
 .../xxl/job/admin/core/util/CookieUtil.java   | 34 +++++++++----------
 3 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/doc/XXL-JOB官方文档.md b/doc/XXL-JOB官方文档.md
index 4a4dcd8a..3ea55bdc 100644
--- a/doc/XXL-JOB官方文档.md
+++ b/doc/XXL-JOB官方文档.md
@@ -1101,7 +1101,7 @@ Tips: 历史版本(V1.3.x)目前已经Release至稳定版本, 进入维护阶段
 - 24、Log地址格式兼容，支持非"/"结尾路径配置；
 - 25、底层系统日志级别规范调整，清理遗留代码；
 - 26、建表SQL优化，支持同步创建制定编码的库和表；
-- 27、系统安全性优化，登陆Token写Cookie时进行MD5加密；
+- 27、系统安全性优化，登陆Token写Cookie时进行MD5加密，同时Cookie启用HttpOnly；
 
 
 ### TODO LIST
diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java
index da7f699f..1d6facf5 100644
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java
@@ -17,7 +17,8 @@ import java.math.BigInteger;
  * @author xuxueli 2015-12-12 18:09:04
  */
 public class PermissionInterceptor extends HandlerInterceptorAdapter {
-	
+
+
 	public static final String LOGIN_IDENTITY_KEY = "XXL_JOB_LOGIN_IDENTITY";
 	public static final String LOGIN_IDENTITY_TOKEN;
     static {
@@ -30,7 +31,9 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter {
 
 		LOGIN_IDENTITY_TOKEN = tokenTmp;
     }
-	
+
+
+
 	public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){
 
     	// login token
@@ -56,6 +59,8 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter {
 		return true;
 	}
 
+
+
 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
 		
diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java
index 28baa214..31f30ee3 100644
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java
@@ -6,9 +6,11 @@ import javax.servlet.http.HttpServletResponse;
 
 /**
  * Cookie.Util
+ *
  * @author xuxueli 2015-12-12 18:01:06
  */
 public class CookieUtil {
+
 	// 默认缓存时间,单位/秒, 2H
 	private static final int COOKIE_MAX_AGE = 60 * 60 * 2;
 	// 保存路径,根路径
@@ -16,43 +18,39 @@ public class CookieUtil {
 	
 	/**
 	 * 保存
+	 *
 	 * @param response
 	 * @param key
 	 * @param value
 	 * @param ifRemember 
 	 */
 	public static void set(HttpServletResponse response, String key, String value, boolean ifRemember) {
-		
-		int age = COOKIE_MAX_AGE;
-		if (ifRemember) {
-			age = COOKIE_MAX_AGE;
-		} else {
-			age = -1;
-		}
-		
-		Cookie cookie = new Cookie(key, value);
-		cookie.setMaxAge(age);				// Cookie过期时间,单位/秒
-		cookie.setPath(COOKIE_PATH);		// Cookie适用的路径
-		response.addCookie(cookie);
+		int age = ifRemember?COOKIE_MAX_AGE:-1;
+		set(response, key, value, null, COOKIE_PATH, age, true);
 	}
 
 	/**
 	 * 保存
+	 *
 	 * @param response
 	 * @param key
 	 * @param value
 	 * @param maxAge
 	 */
-	private static void set(HttpServletResponse response, 
-			String key, String value, int maxAge, String path) {
+	private static void set(HttpServletResponse response, String key, String value, String domain, String path, int maxAge, boolean isHttpOnly) {
 		Cookie cookie = new Cookie(key, value);
-		cookie.setMaxAge(maxAge);	// Cookie过期时间,单位/秒
-		cookie.setPath(path);		// Cookie适用的路径
+		if (domain != null) {
+			cookie.setDomain(domain);
+		}
+		cookie.setPath(path);
+		cookie.setMaxAge(maxAge);
+		cookie.setHttpOnly(isHttpOnly);
 		response.addCookie(cookie);
 	}
 	
 	/**
 	 * 查询value
+	 *
 	 * @param request
 	 * @param key
 	 * @return
@@ -67,6 +65,7 @@ public class CookieUtil {
 
 	/**
 	 * 查询Cookie
+	 *
 	 * @param request
 	 * @param key
 	 */
@@ -84,6 +83,7 @@ public class CookieUtil {
 	
 	/**
 	 * 删除Cookie
+	 *
 	 * @param request
 	 * @param response
 	 * @param key
@@ -91,7 +91,7 @@ public class CookieUtil {
 	public static void remove(HttpServletRequest request, HttpServletResponse response, String key) {
 		Cookie cookie = get(request, key);
 		if (cookie != null) {
-			set(response, key, "", 0, COOKIE_PATH);
+			set(response, key, "", null, COOKIE_PATH, 0, true);
 		}
 	}