如何重置JSESSIONID [英] How to reset JSESSIONID

问题描述

当用户进行身份验证时，重置会话cookie被认为是一种很好的安全措施.

It is considered a good security practice to reset the session cookie when a user authenticates.

如何使用Java做到这一点?

How to do this with Java?

到目前为止，我的尝试是成功的，但是我想知道是否有更好的方法:

My attempt so far is successful, but I was wondering if there's a better way:

public static HttpSession resetSessionId(HttpSession session, 
      HttpServletRequest request) {
    session.invalidate();
    session = request.getSession(true);
    return session;
}

推荐答案

您的答案似乎是最佳的.另一种方法是以这种方式直接操作厨师:

Your answer seems optimal. Another way would be to directly manipulate cookes in this fashion:

 Cookie cookie = new Cookie ("JSESSIONID", "randomValue");
 cookie.setMaxAge( 0 );

因此您创建了一个具有相同名称的新cookie并立即将其过期，但是我不建议这样做，因为对于熟悉基本Servlet API的任何人来说，您的cookie都更加简洁明了

so you create a new cookie with the same name and immediately expire it, but I don't recommend going this way since yours is much cleaner and pretty obvious to anyone who's familiar with basic Servlet APIs.

这篇关于如何重置JSESSIONID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！