增加Cookie安全性,支持设置Cookie的HttpOnly和Secure属性

sa-token-core/src/main/java/cn/dev33/satoken/config/SaTokenConfig.java

@@ -41,6 +41,12 @@ public class SaTokenConfig implements Serializable {
 	/** 是否尝试从cookie里读取token */
 	private Boolean isReadCookie = true;
 
+	/** 使用Cookie时,是否为HttpOnly */
+	private Boolean isCookieHttpOnly = false;
+
+	/** 使用Cookie时,是否为Secure */
+	private Boolean isCookieSecure = false;
+
 	/** token风格(默认可取值：uuid、simple-uuid、random-32、random-64、random-128、tik) */
 	private String tokenStyle = "uuid";
 
@@ -220,6 +226,38 @@ public class SaTokenConfig implements Serializable {
 		return this;
 	}
 
+	/**
+	 * @return 使用Cookie时,是否为HttpOnly
+	 */
+	public Boolean getIsCookieHttpOnly() {
+		return isCookieHttpOnly;
+	}
+
+	/**
+	 * @param isCookieHttpOnly 使用Cookie时,是否为HttpOnly
+	 * @return 对象自身
+	 */
+	public SaTokenConfig setIsCookieHttpOnly(Boolean isCookieHttpOnly) {
+		this.isCookieHttpOnly = isCookieHttpOnly;
+		return this;
+	}
+
+	/**
+	 * @return 使用Cookie时,是否为Secure
+	 */
+	public Boolean getIsCookieSecure() {
+		return isCookieSecure;
+	}
+
+	/**
+	 * @param isCookieSecure 使用Cookie时,是否为Secure
+	 * @return 对象自身
+	 */
+	public SaTokenConfig setIsCookieSecure(Boolean isCookieSecure) {
+		this.isCookieSecure = isCookieSecure;
+		return this;
+	}
+
 	/**
 	 * @return token风格(默认可取值：uuid、simple-uuid、random-32、random-64、random-128、tik)
 	 */
@@ -433,7 +471,9 @@ public class SaTokenConfig implements Serializable {
 	public String toString() {
 		return "SaTokenConfig [tokenName=" + tokenName + ", timeout=" + timeout + ", activityTimeout=" + activityTimeout
 				+ ", isConcurrent=" + isConcurrent + ", isShare=" + isShare + ", isReadBody=" + isReadBody
-				+ ", isReadHead=" + isReadHead + ", isReadCookie=" + isReadCookie + ", tokenStyle=" + tokenStyle
+				+ ", isReadHead=" + isReadHead + ", isReadCookie=" + isReadCookie
+				+ ", isCookieHttpOnly=" + isCookieHttpOnly + ", isCookieSecure=" + isCookieSecure
+				+ ", tokenStyle=" + tokenStyle
 				+ ", dataRefreshPeriod=" + dataRefreshPeriod + ", tokenSessionCheckLogin=" + tokenSessionCheckLogin
 				+ ", autoRenew=" + autoRenew + ", cookieDomain=" + cookieDomain + ", tokenPrefix=" + tokenPrefix
 				+ ", isPrint=" + isPrint + ", isLog=" + isLog + ", jwtSecretKey=" + jwtSecretKey + ", idTokenTimeout="

sa-token-core/src/main/java/cn/dev33/satoken/context/model/SaResponse.java

@@ -18,21 +18,23 @@ public interface SaResponse {
 	 * @param name Cookie名称
 	 */
 	public void deleteCookie(String name);
-	
+
 	/**
-	 * 写入指定Cookie 
+	 * 写入指定Cookie
 	 * @param name     Cookie名称
 	 * @param value    Cookie值
 	 * @param path     Cookie路径
 	 * @param domain   Cookie的作用域
 	 * @param timeout  过期时间 （秒）
+	 * @param isHttpOnly 是否为HttpOnly
+	 * @param isSecure 是否为Secure
 	 */
-	public void addCookie(String name, String value, String path, String domain, int timeout);
+	public void addCookie(String name, String value, String path, String domain, int timeout, boolean isHttpOnly, boolean isSecure);
 
 	/**
-	 * 设置响应状态码 
+	 * 设置响应状态码
 	 * @param sc 响应状态码
-	 * @return 对象自身 
+	 * @return 对象自身
 	 */
 	public SaResponse setStatus(int sc);
 	

sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java

@@ -109,9 +109,9 @@ public class StpLogic {
 		}
 		
 		// 注入Cookie 
-		if(config.getIsReadCookie()){
+		if (config.getIsReadCookie()) {
 			SaResponse response = SaHolder.getResponse();
-			response.addCookie(getTokenName(), tokenValue, "/", config.getCookieDomain(), cookieTimeout);
+			response.addCookie(getTokenName(), tokenValue, "/", config.getCookieDomain(), cookieTimeout, config.getIsCookieHttpOnly(), config.getIsCookieSecure());
 		}
 	}