Java 中的会话劫持预防 (Struts 2.0) |遇到错误 [英] Session Hijacking Prevention in Java (Struts 2.0) | Error Encountered
问题描述
我正在用 Java 开发一个应用程序,该应用程序似乎存在会话劫持漏洞.
I'm developing an application in Java which seems to have a session hijacking vulnerability.
为了防止这种情况,建议在登录后为用户更改JSESSIONID
In order to prevent this, the recommendation is to change the JSESSIONID
for a user after log in
我的应用程序基于 Struts 2.0 和 Tomcat 7,我已经实现了一个代码来在用户登录后更改 JSESSIONID
.
My application is based on Struts 2.0 and Tomcat 7 and I have implemented a code to change the JSESSIONID
after the user logs in.
但是我在运行代码时遇到了以下问题.
However I am facing the following problem while running the code.
java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
at org.apache.catalina.session.StandardSessionFacade.setAttribute (StandardSessionFacade.java:130)
at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)
这是我写的代码:
HttpSession httpSession = ServletActionContext.getRequest().getSession();
HashMap<String, Object> attributes = new HashMap<String, Object>();
Enumeration<String> enames = httpSession.getAttributeNames();
while ( enames.hasMoreElements() )
{
String name = enames.nextElement();
if ( !name.equals( "JSESSIONID" ) )
{
attributes.put( name, httpSession .getAttribute( name ) );
}
}
httpSession.invalidate();
httpSession = request.getSession(true);
for ( Map.Entry<String, Object> et : attributes.entrySet() )
{
userInfoMap.put( et.getKey(), et.getValue() );
}
getSession().put("userid",userId);//Setting value to session
推荐答案
通常当你 invalidate
会话时,你应该重定向到某个动作,所以如果动作执行,新的会话映射将注入它SessionAware
.
Usually when you invalidate
the session you should redirect to some action, so the new session map will injected to it if the action implement SessionAware
.
但是在您发布的代码中,您试图重用包含旧会话的会话映射.
But in the code you posted you are trying to reuse the session map while it contains an old session.
这篇关于Java 中的会话劫持预防 (Struts 2.0) |遇到错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!