Servlet可以获得HTTPS会话ID吗? [英] Can a Servlet get HTTPS session id?
问题描述
我想使用Java Servlets构建无状态Web应用程序。因为它是无状态的,所以没有HttpSession。浏览器中有一个会话,但每个请求可能由群集中的其他节点处理。存储在浏览器中的会话标识符由服务器生成并加密,因此很难有人制作有效的假会话ID并绕过登录。
I want to build a stateless web application using Java Servlets. Because it's stateless, there is no HttpSession. There is a session in the browser, but each request might be handled by a different node in the cluster. The session identifier stored in the browser is generated and encrypted by the server, so it's very hard for someone to craft a valid fake session ID and bypass login.
最近我发现此体系结构中的漏洞:如果恶意(受感染)浏览器将会话标识符发送给强盗,则会话很容易被劫持。我无法在每个请求中重新生成会话标识符,因为服务器上没有会话来跟踪预期的请求序列,这也会使异步请求的处理变得复杂。
Recently I found a vulnerability in this architecture: if a malicious (infected) browser sends the session identifier to a bandit, the session can be easily hijacked. I can't regenerate session identifier at each request because there is no session at the server to track the expected request sequence, and that would also complicate handling of asynchronous requests.
到目前为止,我的解决方案是获取一些HTTPS会话标识符并将其包含在存储在浏览器中的加密会话ID中。标准servlet可以从HTTPS连接中获取此类信息吗?
My solution so far is to get some HTTPS session identifier and include it on the encrypted session ID that is stored in the browser. Can a standard servlet get such information from HTTPS connection?
另一个选项是仅为getId()使用HttpSession,但只有在此类ID与HTTPS绑定时才有效会话,我在servlet规范中找不到。
Another option would be using HttpSession just for getId(), but that would work only if such ID is tied to HTTPS session, which I couldn't find in servlet specification.
欢迎提出其他建议。
推荐答案
servlet容器在HttpServletRequest属性中填充SSL会话ID,供下游组件使用。属性名称恰好是 javax.servlet.request.ssl_session_id 。据我所知,这在实现Servlet规范3.0的所有容器中都可用。在Servlet Spec 3.0之前,如果我没有弄错的话,这可以在有限的容器中使用 - Tomcat和Jetty。
The servlet container populates the SSL session ID in a HttpServletRequest attribute, to be used by downstream components. The attribute name happens to be javax.servlet.request.ssl_session_id. To my knowledge, this is available in all containers implementing the Servlet Specification 3.0. Prior to Servlet Spec 3.0, this was available in limited containers - Tomcat and Jetty, if I'm not mistaken.
但是要预先警告,SSL会话ID被认为是比容器生成的HTTP会话cookie值更安全。泄露SSL会话ID甚至会使您的HTTPS连接不安全。
Be forewarned though, that the SSL session ID is considered more secure than the container generated HTTP session cookie value. Leaking the SSL session ID would render even your HTTPS connections insecure.
这篇关于Servlet可以获得HTTPS会话ID吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
