登录后如何刷新JSESSIONID cookie [英] how to refresh JSESSIONID cookie after login
问题描述
我正在研究的产品受到了潜在客户的严格安全审核,他们对Tomcat在身份验证发生之前设置JSESSIONID cookie感到不安.也就是说,Tomcat会在我们的无状态登录页面加载时但在登录之前设置此cookie.
A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomcat sets this cookie when our stateless Login Page loads, but before login.
他们建议以下任一项:
- 登录后发出新的JSESSIONID cookie
- 防止在登录页面的第一位(即在身份验证发生之前)设置JSESSIONID cookie
我已经仔细研究了此站点上与JSESSIONID相关的所有内容,但找不到简单的答案.我只是希望一些想法.我为每个人提供的最佳解决方案是:
I have been poring through everything JSESSIONID-related on this site and can find no easy answer. I'm just hoping for some ideas. My best solutions for each are:
- 登录后,立即通过复制所有属性,使旧会话无效,创建新会话,复制值,将其与请求相关联并希望其工作,来克隆会话(减去ID).
- 在链的最末端创建一个Servlet过滤器,该过滤器会在最初加载登录页面"之前剥离JSESSIONID cookie.然后希望在没有设置JSESSIONID的情况下完成登录请求.
我必须先入睡,但早上要尝试一下.从比我聪明得多的人那里得到一些反馈或更好的建议,就像您一样!
I've got to get some sleep, but will be attempting these in the morning. It would be awesome to get some feedback or better suggestions from people much smarter than myself -- like you!
无论如何,我将结果发布在这里,因为似乎很多其他人都想做类似的事情.
Regardless, I'll post my results here because it seems like a lot of other people have been wanting to do something similar.
推荐答案
您不会在刷新之后而是之前刷新.首先执行登录操作时,请执行以下操作:
You will not refresh after but just before. When executing the login action first do:
HttpSession session = request.getSession(false);
if (session!=null && !session.isNew()) {
session.invalidate();
}
然后做:
HttpSession session = request.getSession(true); // create the session
// do the login (store the user in the session, or whatever)
仅供参考,使用此技巧可以解决的问题是 http://www.owasp.org/index .php/Session_Fixation
FYI what you are solving with this trick is http://www.owasp.org/index.php/Session_Fixation
最后,您可以禁用自动会话创建,仅在真正需要时才创建会话.如果您使用JSP,则可以通过以下方式进行操作:
Lastly you can disable automatic session creation and only create the session when you really need it. If you use JSP you do that by:
<%@page contentType="text/html"
pageEncoding="UTF-8"
session="false"%>
这篇关于登录后如何刷新JSESSIONID cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
