如何阻止Spring Security创建新会话? [英] How to stop Spring Security from creating a new session?

问题描述

1. 我重新启动服务器和浏览器，所以没有会话数据.
2. 我转到www.someurl.com公共访问页面.我的控制器让我与此HttpSession session=request.getSession(true);
进行了会话
3. 我单击指向www.someurl.com/admin受限访问页面的平面锚链接，该链接会在新标签页中打开. Spring Security 3对此进行了拦截并要求提供凭据.我成功登录.
4. 我使用www.someurl.com返回上一个选项卡，并刷新页面.

1. I restart the server and browser so there's no session data.
2. I go to www.someurl.com public access page. My controller gets me a session with this HttpSession session=request.getSession(true);
3. I click on a plane anchor link to www.someurl.com/admin restricted access page which opens in a new tab. Spring Security 3 intercepts this and challenges for credentials. I log in successfully.
4. I go back to the previous tab with www.someurl.com and refresh the page.

问题

我在www.someurl.com的控制器中注意到的是，步骤2和步骤4的会话ID不同.看起来像Spring Security创建了一个新会话，并且该会话现在已附加到公共页面请求中.为什么会发生这种情况，我可以强制Spring Security使用现有会话吗?

Problem

What I notice in my controller for www.someurl.com is that the session id is different on step 2 and step 4. Looks like Spring Security created a new session and that session is now attached to the request for public page. Why does this happen and can I force Spring Security to use existing session?

1. 重新启动浏览器和服务器，以便不存在会话数据.
2. 我去www.someurl.com.控制器已注入请求. request.session为空. getSession(true)使我获得一个ID为87B091B12F38D44C53AF0DA9E2147484的会话. LogService获取请求对象，也获取getSession(true)，但获取ID为87B091B12F38D44C53AF0DA9E2147484的会话，到目前为止一切正常.
3. 我单击/admin.页面会在新标签页中打开.我登录.
4. 我刷新了www.someurl.com.控制器已注入请求. request.session不为null.会话ID为547DF59035C91783D783BAEF4A15FBFF.

推荐答案

您的诊断错误:

我在www.someurl.com的控制器中注意到的是，步骤2和步骤4的会话ID不同.看起来像Spring Security创建了一个新会话，并且该会话现在已附加到公共页面请求中.

What I notice in my controller for www.someurl.com is that the session id is different on step 2 and step 4. Looks like Spring Security created a new session and that session is now attached to the request for public page.

正是因为所有页面都使用相同的会话，所以当您返回第一个选项卡并刷新时，您仍以管理员身份登录.给定浏览器的所有选项卡和框架都针对给定Webapp共享相同的会话.这就是它的工作方式.服务器不知道也不关心浏览器选项卡.它获取一个会话cookie，该cookie附加到给定浏览器发送的所有请求中，并使用此cookie获取相应的会话.这实际上是一件好事.否则，每次您打开一个新的标签页就已经通过了身份验证，则必须再次进行身份验证.而且您绝对不希望那样.

It's precisely because all the pages use the same session that when you go back to the first tab and refresh, you're still logged in as an admin. All the tabs and frames of a given browser share the same session for a given webapp. That's how it works. The server doesn't know and care about browser tabs. It gets a session cookie attached to all the requests sent by a given browser, and uses this cookie to get the corresponding session. This is actually a good thing. Without that, each time you open a new tab once already authenticated, you would have to authenticate again. And you definitely don't want that.

因此，让我们解释一下您的情况会发生什么:

So let's explain what happens in your scenario:

1. 您重新启动服务器和浏览器，所以没有会话数据.
2. 您可以访问www.someurl.com公共访问页面.您的控制器让您进行会话. Cookie被发送回浏览器
3. 您单击指向www.someurl.com/admin受限访问页面的平面锚链接，该链接会在新标签页中打开. cookie与请求一起发送，因此此请求是在步骤2中打开的会话的一部分.SpringSecurity 3会拦截此请求并询问凭据.它将凭据附加到会话中，该会话现在是经过身份验证的会话
4. 您使用www.someurl.com返回上一个选项卡，并刷新页面.再次发送Cookie，Spring知道您是在步骤3进行身份验证的人，因为身份验证凭据存储在会话中.

看来我错了，Spring确实在登录后创建了一个新会话，以防止会话固定攻击.

it appears I was wrong, and Spring indeed creates a new session after login to prevent session fixation attacks. Explanations about why this is useful, and how to avoid this behavior are available in the documentation:

会话固定攻击是一种潜在的风险，恶意攻击者有可能通过访问站点来创建会话，然后说服另一个用户使用同一会话登录(通过向他们发送包含会话标识符的链接作为参数). Spring Security通过在用户登录时创建一个新会话来自动防御这种情况.如果您不需要此保护，或者与其他要求冲突，则可以使用上的session-fixation-protection属性来控制行为.有三个选择

Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behaviour using the session-fixation-protection attribute on , which has three options

• migrateSession-创建一个新会话并将现有会话属性复制到新会话.这是默认设置.

• migrateSession - creates a new session and copies the existing session attributes to the new session. This is the default.

无-不执行任何操作.原始会话将保留.

none - Don't do anything. The original session will be retained.

newSession-创建一个新的干净"会话，而不复制现有会话数据.

newSession - Create a new "clean" session, without copying the existing session data.

这篇关于如何阻止Spring Security创建新会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！