Java 中的会话劫持预防 (Struts 2.0) |遇到错误 [英] Session Hijacking Prevention in Java (Struts 2.0) | Error Encountered

查看:36
本文介绍了Java 中的会话劫持预防 (Struts 2.0) |遇到错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在用 Java 开发一个应用程序,该应用程序似乎存在会话劫持漏洞.

I'm developing an application in Java which seems to have a session hijacking vulnerability.

为了防止这种情况,建议在登录后为用户更改JSESSIONID

In order to prevent this, the recommendation is to change the JSESSIONID for a user after log in

我的应用程序基于 Struts 2.0 和 Tomcat 7,我已经实现了一个代码来在用户登录后更改 JSESSIONID.

My application is based on Struts 2.0 and Tomcat 7 and I have implemented a code to change the JSESSIONID after the user logs in.

但是我在运行代码时遇到了以下问题.

However I am facing the following problem while running the code.

java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
at org.apache.catalina.session.StandardSessionFacade.setAttribute          (StandardSessionFacade.java:130)
at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)

这是我写的代码:

HttpSession httpSession = ServletActionContext.getRequest().getSession();
HashMap<String, Object> attributes = new HashMap<String, Object>(); 
Enumeration<String> enames = httpSession.getAttributeNames();
while ( enames.hasMoreElements() )
{
String name = enames.nextElement();   
if ( !name.equals( "JSESSIONID" ) )
{ 
attributes.put( name, httpSession .getAttribute( name ) );
}      
}   
httpSession.invalidate();       
httpSession = request.getSession(true);                     
for ( Map.Entry<String, Object> et : attributes.entrySet() )
{
userInfoMap.put( et.getKey(), et.getValue() );
}   
getSession().put("userid",userId);//Setting value to session

推荐答案

通常当你 invalidate 会话时,你应该重定向到某个动作,所以如果动作执行,新的会话映射将注入它SessionAware.

Usually when you invalidate the session you should redirect to some action, so the new session map will injected to it if the action implement SessionAware.

但是在您发布的代码中,您试图重用包含旧会话的会话映射.

But in the code you posted you are trying to reuse the session map while it contains an old session.

这篇关于Java 中的会话劫持预防 (Struts 2.0) |遇到错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆