在JSF中生成自己的会话ID [英] Generating Own Session Id in JSF

问题描述

我有一个Web应用程序，我们在其中使用JSF框架。
我一直深入到Web应用程序的安全部分，因此我希望生成我自己的唯一会话ID（使用加密算法并将其分配给用户登录后创建的每个新会话。

I have a web application in which we use JSF framework. I have been diving deep into the security part for web application and hence I was looking to generate my own unique session ID(using encryption algorithm and assign it to every new session which gets created once user logs in.

任何人都可以指导我如何在会话中设置手动生成的会话ID，并确保每个请求都传输会话ID。

Can anyone please guide me on how to set manual generated session id in session and ensure with each request that session id is transmitted.

谢谢。

推荐答案

我真的怀疑你会生成比容器生成的会话ID更安全的会话ID ，但这是你可以做的，而不使用任何特定于容器的扩展。

I really doubt you'll generate session IDs that are more secure than the ones generated by the container, but here's what you could do, without using any container-specific extension.

创建一个servlet过滤器，拦截每个请求到服务器。

Create a servlet filter which intercept every request to the server.

当请求进入时，检查此请求是否已存在会话（使用 getSession（false））。如果存在，则提取来自请求的特定cookie MY_SESSION_ID，并将其值与i的值进行比较s存储在会话中。如果它们不匹配，请拒绝该请求。

When a request comes in, check if a session already exists for this request (using getSession(false)). If one exists, then extract your specific cookie MY_SESSION_ID from the request, and compare its value to the one that is stored in the session. If they don't match, reject the request.

如果会话不存在，则创建它（使用 getSession（true）），生成超级安全会话ID，将其存储为会话属性，并将cookie MY_SESSION_ID添加到响应中。

If the session doesn't exist, then create it (using getSession(true)), generate your super-secure session ID, store it as a session attribute and add the cookie MY_SESSION_ID to the response.

这有不利之处自动创建会话，即使不是严格需要。但是大多数情况下使用组件框架的JSP就是这种情况。

This has the disadvantage of creating a session automatically, even if it's not strictly needed. But that's the case most of the time when using JSPs of component frameworks.

这篇关于在JSF中生成自己的会话ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！