登录后应重新生成会话ID。 [英] Session id should be regenereated after logging in.

问题描述

我有一个要求，其中会话ID应该在登录后失效并且新的会话ID应该重新生成，
 
像这样的预cookie和Post Cookie不应该相同而且Post cookie应该在服务器端验证。

我尝试过：

我使用这段代码使会话无效：
 
 req.getSession（false）.invalidate（）; 
 req.getSession（true）; 
 
我可以更改会话ID，但会注销。我使用burp工具套件测试了相同的场景。我得到了这些结果：
 
登录时：

 Cookie：navi = 1 -1-0-; SOSESSIONID = pxtc730f4259; SSO_ID = 4419102748602016135; CSSOSESSIONID = 20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID = jpofvmzlses2 
连接：关闭
升级 - 不安全 - 请求：1 

登录后：

Cookie：SSO_ID =;导航= 1-1-0-; SOSESSIONID = ssnuqpjpal2i; SSO_ID = 323568307087821651; CSSOSESSIONID = 20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID = jpofvmzlses2

连接：关闭



但是如果我点击GUI中的任何内容，我将重定向到登录页面。 />


你能帮我告诉我如何在登录后重新生成会话ID，这样同一个id就不应该继续了吗？

解决方案

当您使会话无效时，您使登录令牌（存储在会话中的属性）无效并实际注销用户...

如果您想确保当前登录将继续以前从未使用的会话，关闭（无效）会话之前！登录...

I have one requirement in which session id should invalidate after login and new session id should regenerate,

like this Pre-cookie and Post Cookie should not be same and Post cookie should be validate at server side.

What I have tried:

I used this piece of code to invalidating the session :

req.getSession(false).invalidate(); 
req.getSession(true);
    
I am able to change the session id but it will logout. I tested same scenario using burp tool suite. I got these results:

While Login :

Cookie: navi=1-1-0-; SOSESSIONID=pxtc730f4259; SSO_ID=4419102748602016135; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close
Upgrade-Insecure-Requests: 1

After Login :
Cookie: SSO_ID=; navi=1-1-0-; SOSESSIONID=ssnuqpjpal2i; SSO_ID=323568307087821651; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close

But After that if I am clicking anything in GUI, I am redirecting to Login Page.

Can you please help me how to regenerate session id after login so that same id should not continue through out ?

解决方案

The moment you invalidate the session you invalidate the login-token (an attribute stored on the session) and actually logging out the user...
If you want to ensure that the current login will go on a session never used before, close (invalidate) the session before! login...

这篇关于登录后应重新生成会话ID。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！