解决JBoss中的会话修复问题 [英] Resolving Session Fixation in JBoss

问题描述

我需要阻止会话修复，这是一种特殊类型的会话劫持，在JBoss中运行的Java Web应用程序。但是，似乎标准惯用法在JBoss中不起作用。可以解决这个问题吗？

I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?

推荐答案

此缺陷（在此处找到） ）指出解决方案的方式。在JBoss中运行的Tomcat实例配置为emptySessionPath =true，而不是false，这是默认值。这可以在 ... / deploy / jboss-web.deployer / server.xml 中修改; HTTP和AJP连接器都有此选项。

This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml; both the HTTP and AJP connectors have this option.

该功能本身用于消除上下文路径（例如 http://example.com/foo ）包含在JSESSIONID cookie中。将其设置为false将破坏依赖跨应用程序身份验证的应用程序，其中包括使用某些门户框架构建的内容。但是，它并没有对相关应用产生负面影响。

The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.

这篇关于解决JBoss中的会话修复问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！