Java安全会话 [英] Java secure session

问题描述

每当您进行身份验证时，您的应用程序都应更改其使用的会话标识符。这有助于防止某人设置会话，复制会话标识符，然后欺骗用户使用会话。由于攻击者已经知道会话标识符，因此他们可以在用户登录后使用它来访问会话，从而为其提供完全访问权限。这种攻击被称为会话固定等。一旦用户登录系统，如何更改会话ID？

Whenever you authenticate, your application should change the session identifier it uses. This helps to prevent someone from setting up a session, copying the session identifier, and then tricking a user into using the session. Because the attacker already knows the session identifier, they can use it to access the session after the user logs in, giving them full access. This attack has been called "session fixation" among other things. How can i change the session id once the user login to the system ?

推荐答案

当你使会话无效时，你仍然在服务器上。

You're still on the server while you invalidate the session.

//get stuff out of session you want before invalidating it.
currentSession = request.getSession(true);
UserProfile userProfile = (UserProfile) currentSession.getAttribute("userProfile");

//now invalidate it
currentSession.invalidate();

//get new session and stuff the data back in
HttpSession newSession = request.getSession(true);
newSession.setAttribute("userProfile", userProfile);

这篇关于Java安全会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！