解决 JBoss 中的会话固定问题 [英] Resolving Session Fixation in JBoss

问题描述

我需要防止 Session Fixation，一种特殊类型的会话劫持，在在 JBoss 中运行的 Java Web 应用程序.但是，似乎标准的习惯用法 在 JBoss 中不起作用.这可以解决吗?

I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?

推荐答案

这个缺陷(在此处)指出了解决方法.在 JBoss 中运行的 Tomcat 实例配置为 emptySessionPath="true"，而不是默认的 "false".这可以在 .../deploy/jboss-web.deployer/server.xml 中修改；HTTP 和 AJP 连接器都有这个选项.

This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml; both the HTTP and AJP connectors have this option.

该功能本身用于消除上下文路径(例如，http://example.com/中的foo"foo) 被包含在 JSESSIONID cookie 中.将其设置为 false 将破坏依赖于跨应用程序身份验证的应用程序，其中包括使用某些门户框架构建的内容.然而，它并没有对相关应用程序产生负面影响.

The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.

这篇关于解决 JBoss 中的会话固定问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！