java 如何重置 JSESSIONID
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4836106/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to reset JSESSIONID
提问by Bozho
It is considered a good security practice to reset the session cookie when a user authenticates.
在用户进行身份验证时重置会话 cookie 被认为是一种很好的安全做法。
How to do this with Java?
如何用 Java 做到这一点?
My attempt so far is successful, but I was wondering if there's a better way:
到目前为止,我的尝试是成功的,但我想知道是否有更好的方法:
public static HttpSession resetSessionId(HttpSession session,
HttpServletRequest request) {
session.invalidate();
session = request.getSession(true);
return session;
}
采纳答案by darioo
Your answer seems optimal. Another way would be to directly manipulate cookes in this fashion:
您的答案似乎是最佳的。另一种方法是以这种方式直接操作厨师:
Cookie cookie = new Cookie ("JSESSIONID", "randomValue");
cookie.setMaxAge( 0 );
so you create a new cookie with the same name and immediately expire it, but I don't recommendgoing this way since yours is much cleaner and pretty obvious to anyone who's familiar with basic Servlet APIs.
因此,您创建了一个同名的新 cookie 并立即使其过期,但我不建议这样做,因为对于熟悉基本 Servlet API 的任何人来说,您的 cookie更加清晰和显而易见。
回答by cherouvim
I only pass the request from which I get the session. If a session doesn't yet exist there is no point in creating one just to invalidate it. This also holds if the session has just been created by the container (due to the user first http request directly on the login form).
我只传递从中获取会话的请求。如果会话尚不存在,则创建一个会话只是为了使其无效是没有意义的。如果会话刚刚由容器创建,这也适用(由于用户直接在登录表单上的第一个 http 请求)。
public static ... (HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session!=null && !session.isNew()) {
session.invalidate();
}
回答by MartinGrotzke
Tomcat (since 6.0.24 AFAIK) can change the sessionId on authentication automatically - as long as you're using standard servlet authentication mechanisms (basic, form based authentication). This can be configured via changeSessionIdOnAuthentication for the Basic Authenticator Valve: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Tomcat(自 6.0.24 AFAIK 起)可以在身份验证时自动更改 sessionId - 只要您使用标准的 servlet 身份验证机制(基本的、基于表单的身份验证)。这可以通过基本身份验证器阀门的 changeSessionIdOnAuthentication 进行配置:http: //tomcat.apache.org/tomcat-6.0-doc/config/valve.html
回答by Ritesh
Another way (not the better way) is to call 'changeSessionId(existingSession)' of org.apache.catalina.session.StandardManagerwhich will change the session ID of the current session to a new randomly generated session ID.
另一种方法(不是更好的方法)是调用'changeSessionId(existingSession)', org.apache.catalina.session.StandardManager它会将当前会话的会话ID 更改为新的随机生成的会话ID。
You have to use StandardManager Mbean to invoke that method. Please see Tomcat MBeans
您必须使用 StandardManager Mbean 来调用该方法。请参阅Tomcat MBeans
Pseudo code:
伪代码:
ObjectName contextObjectName = new ObjectName("Catalina:type=Manager,path=/whatever,host=whateverhost");
ObjectName contextObjectName = new ObjectName("Catalina:type=Manager,path=/whatever,host=whateverhost");
mbeanServer.invoke(contextObjectName, "changeSessionId", new Object[]{session}, new String[]{"javax.servlet.http.HttpSession"});
mbeanServer.invoke(contextObjectName, "changeSessionId", new Object[]{session}, new String[]{"javax.servlet.http.HttpSession"});
