登录后应重新生成会话ID。 [英] Session id should be regenereated after logging in.
本文介绍了登录后应重新生成会话ID。的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个要求,其中会话ID应该在登录后失效并且新的会话ID应该重新生成,
像这样的预cookie和Post Cookie不应该相同而且Post cookie应该在服务器端验证。
我尝试过:
我使用这段代码使会话无效:
req.getSession(false).invalidate();
req.getSession(true);
我可以更改会话ID,但会注销。我使用burp工具套件测试了相同的场景。我得到了这些结果:
登录时:
Cookie:navi = 1 -1-0-; SOSESSIONID = pxtc730f4259; SSO_ID = 4419102748602016135; CSSOSESSIONID = 20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID = jpofvmzlses2
连接:关闭
升级 - 不安全 - 请求:1
登录后:
Cookie:SSO_ID =;导航= 1-1-0-; SOSESSIONID = ssnuqpjpal2i; SSO_ID = 323568307087821651; CSSOSESSIONID = 20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID = jpofvmzlses2
连接:关闭
但是如果我点击GUI中的任何内容,我将重定向到登录页面。 />
你能帮我告诉我如何在登录后重新生成会话ID,这样同一个id就不应该继续了吗?
解决方案
当您使会话无效时,您使登录令牌(存储在会话中的属性)无效并实际注销用户...
如果您想确保当前登录将继续以前从未使用的会话,关闭(无效)会话之前!登录...
I have one requirement in which session id should invalidate after login and new session id should regenerate, like this Pre-cookie and Post Cookie should not be same and Post cookie should be validate at server side.
What I have tried:
I used this piece of code to invalidating the session : req.getSession(false).invalidate(); req.getSession(true); I am able to change the session id but it will logout. I tested same scenario using burp tool suite. I got these results: While Login :
Cookie: navi=1-1-0-; SOSESSIONID=pxtc730f4259; SSO_ID=4419102748602016135; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2 Connection: close Upgrade-Insecure-Requests: 1
After Login :
Cookie: SSO_ID=; navi=1-1-0-; SOSESSIONID=ssnuqpjpal2i; SSO_ID=323568307087821651; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close
But After that if I am clicking anything in GUI, I am redirecting to Login Page.
Can you please help me how to regenerate session id after login so that same id should not continue through out ?
解决方案
The moment you invalidate the session you invalidate the login-token (an attribute stored on the session) and actually logging out the user...
If you want to ensure that the current login will go on a session never used before, close (invalidate) the session before! login...
这篇关于登录后应重新生成会话ID。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文