如何从document.execCommand(“ ClearAuthenticationCache”)保护我的JSESSIONID? [英] How to protect my JSESSIONID from document.execCommand(“ClearAuthenticationCache”)?
问题描述
This might be a duplicate of this question, but the solution proposed isn't viable for us: Protect against 3rd party callers of document.execCommand("ClearAuthenticationCache")? Clears our session cookies
长话短说:IE有一种使用JavaScript清除会话cookie的方法- document.execCommand( ClearAuthenticationCache )。它用于包括Outlook Web App(可能还有许多其他)在内的各种Web应用程序中。问题在于,MS凭着无限的智慧决定该命令应清除所有打开的站点的会话Cookie (您能告诉我我有点苦,我花了几个月的时间才找到随机丢失的JSESSIONID的来源) 。
Long story short: IE has a way to clear session cookies using JavaScript - document.execCommand("ClearAuthenticationCache"). This is used in a variety of web apps including Outlook Web App (and presumably many others). Problem is MS in their infinite wisdom decided that this command should clear session cookies for all open sites (can you tell I'm a little bitter, it took me months to find the source of randomly missing JSESSIONIDs).
我们使用JSESSIONID以及另一个令牌来确保用户已通过身份验证。 JSESSIONID是安全和 httpOnly 。除非第三方将JSESSIONID清除掉,否则此方法效果很好。所以我的问题分为两部分:
We use JSESSIONID as well as another token to make sure the user is authenticated. The JSESSIONID is secure and httpOnly. This works well except when the JSESSIONID is wiped out by a third party. So my question is in two parts:
-
有没有一种方法可以保护会话cookie免受这种干扰(假设任何涉及客户端配置(例如固定或注册表黑客攻击)是不可选项)?
Is there a way I can protect my session cookies from this (let's assume anything involving client side configuration, such as pinning or registry hacks, is a non-option)?
如果没有,是否有办法让我从此安全地恢复?由于JSESSIONID是httpOnly,因此浏览器应该无法读取它,但是也许有些事情我并未考虑。
If not, is there a way for me to securely recover from this? Since the JSESSIONID is httpOnly, the browser shouldn't be able to read it, but maybe there is something I'm not thinking off.
如果相关:我们将Tomcat 7用作我们的Web服务器。该应用程序是一个相当复杂的SaaS应用程序,安全性也非常重要。
If relevant: we use Tomcat 7 as our webserver. The app is a fairly complex SaaS app, and security is fairly important.
谢谢。
推荐答案
我相信以下两个选项之一可以保护servlet会话免受 document.execCommand( ClearAuthenticationCache):
I believe either of the following options would work to protect servlet sessions from document.execCommand("ClearAuthenticationCache"):
您可以设置最大年龄 web.xml中的JSESSIONID 。这样,您的JSESSIONID cookie将不再是会话cookie!这将使您的Web应用程序的安全性稍差一些,因为cookie在关闭浏览器后仍将继续存在。
You could set the max-age of your JSESSIONID in your web.xml. That way your JSESSIONID cookie would no longer be a session cookie! This would make your web application slightly less secure as the cookie would still survive after the browser is closed.
您可以完全放弃HTTP cookie,而将Tomcat配置为使用SSL会话ID进行会话跟踪。我从来没有亲自配置过它,但是我想这比使用JSESSIONID cookie更安全。但是,在此配置中无法进行会话复制。
You could abandon HTTP cookies altogether and configure Tomcat to do session tracking with the SSL session ID. I've never actually configured it myself, but I would guess that this is more secure than using JSESSIONID cookies. However, session replication is not possible in this configuration.
这篇关于如何从document.execCommand(“ ClearAuthenticationCache”)保护我的JSESSIONID?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
