httpservletrequest-创建新会话/更改会话ID [英] httpservletrequest - create new session / change session Id

问题描述

我正在维护Java Web应用程序.

I'm maintaining a Java web application.

查看登录代码，它通过HttpServletRequest的getSession()方法从HttpServletRequest中获取一个HttpSession.(它在会话中使用一些值进行身份验证)

Looking into the login code it gets an HttpSession out of HttpServletRequest via the getSession() method of HttpServletRequest. (It uses some values in the session for authentication purposes)

但是，我担心会话固定攻击，因此在使用初始会话后，我想开始一个新会话或更改会话ID.这可能吗?

However I'm worried about session fixation attacks so after I have used the initial session I want to either start a new session or change the session id. Is this possible?

推荐答案

Servlet 3.0 API不允许您更改现有会话上的会话ID.通常，为了防止会话固定，您将只想创建一个新的并使旧的无效.

The Servlet 3.0 API doesn't allow you to change the session id on an existing session. Typically, to protect against session fixation, you'll want to just create a new one and invalidate the old one as well.

您可以使会话无效

request.getSession(false).invalidate();

然后使用

getSession(true)( getSession()也应该工作)

很显然，如果会话中有要保留的数据，则需要将其从第一个会话复制到第二个会话.

Obviously, if you have an data in the session that you want to persist, you'll need to copy it from the first session to the second session.

注意，对于会话固定保护，通常认为只对身份验证请求执行此操作就可以了.但是更高级别的安全性涉及抛弃旧会话，并为每个请求创建一个新会话.

Note, for session fixation protection, it's commonly considered okay to just do this on the authentication request. But a higher level of security involves a tossing the old session and making a new session for each and every request.

这篇关于httpservletrequest-创建新会话/更改会话ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！