解决JBoss中的会话修复问题 [英] Resolving Session Fixation in JBoss
问题描述
我需要阻止会话修复,这是一种特殊类型的会话劫持,在JBoss中运行的Java Web应用程序。但是,似乎标准惯用法在JBoss中不起作用。可以解决这个问题吗?
I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?
推荐答案
此缺陷(在此处找到) )指出解决方案的方式。在JBoss中运行的Tomcat实例配置为emptySessionPath =true,而不是false,这是默认值。这可以在 ... / deploy / jboss-web.deployer / server.xml
中修改; HTTP和AJP连接器都有此选项。
This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml
; both the HTTP and AJP connectors have this option.
该功能本身用于消除上下文路径(例如 http://example.com/foo )包含在JSESSIONID cookie中。将其设置为false将破坏依赖跨应用程序身份验证的应用程序,其中包括使用某些门户框架构建的内容。但是,它并没有对相关应用产生负面影响。
The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.
这篇关于解决JBoss中的会话修复问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!