java 调用无效后重新使用会话 ID
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6824724/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Session ID re-used after call to invalidate
提问by Phil
I've inherited a pretty ancient JSP application (JDK 1.3.1_15) and am attempting to plug a session fixation hole.
我继承了一个非常古老的 JSP 应用程序(JDK 1.3.1_15),并试图填补一个会话固定漏洞。
I'm successfully invalidating the current session after authentication using HttpSession.invalidate()however when the new session is created, the old session ID is re-used.
我在使用身份验证后成功使当前会话无效,HttpSession.invalidate()但是当创建新会话时,旧会话 ID 被重新使用。
<%
// login.jsp
if (authenticated) {
request.getSession().invalidate();
// create new session and store data
HttpSession session = request.getSession();
session.putValue(...);
// etc
response.sendRedirect("logged-in.jsp");
return;
}
%>
I can see the new session assignment in my HTTP monitor, it's just using the same number again.
我可以在我的 HTTP 监视器中看到新的会话分配,它只是再次使用相同的数字。
-- Initial request response --
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
-- login.jsp request response --
HTTP/1.1 302 Moved Temporarily
Location: http://example.com/logged-in.jsp
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
Prior to me using session.invalidate()the second Set-Cookieresponse header was not present at all.
在我使用session.invalidate()第二个Set-Cookie响应头之前根本不存在。
Does anybody have any advice on how to generate a new session ID? I'm not very familiar with JRUN4 but trawling through the configuration documentation hasn't turned up anything.
有人对如何生成新的会话 ID 有任何建议吗?我对 JRUN4 不是很熟悉,但是浏览配置文档并没有发现任何东西。
采纳答案by laz
To work around this, you can use a second non-persistent cookie to act as a session id that you can control the value of. The idea is to generate a unique id and store it in both the cookie and the session. Implement the same logic with this cookie that you are attempting to do with the session through using invalidate. Specifically, don't issue the actual identifier that will be accepted for future requests until authentication is successful. Then create a Servlet Filter that checks each request and matches the value of this new cookie to the value stored in the session. If they don't match, something nefarious is going on. I know it is a bit more cumbersome than just relying on session.invalidate()to issue a new id. But given your constraints and JRun's behavior, this will provide sufficient protection against session fixation.
要解决此问题,您可以使用第二个非持久性 cookie 作为会话 ID,您可以控制其值。这个想法是生成一个唯一的 id 并将其存储在 cookie 和会话中。使用此 cookie 实现与您尝试通过使用 invalidate 对会话执行的相同的逻辑。具体来说,在身份验证成功之前,不要发布将被未来请求接受的实际标识符。然后创建一个 Servlet 过滤器,它检查每个请求并将这个新 cookie 的值与存储在会话中的值相匹配。如果它们不匹配,就会发生一些邪恶的事情。我知道这比仅仅依靠session.invalidate()发布新 ID麻烦一些。但是考虑到您的约束和 JRun 的行为,这将提供足够的保护来防止会话固定。
回答by hoipolloi
From Section 7.3 of the Java Servlet 3.0 specification, you can see that:
从Java Servlet 3.0 规范的第 7.3 节中,您可以看到:
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
HttpSession 对象的范围必须在应用程序(或 servlet 上下文)级别。底层机制,例如用于建立会话的 cookie,对于不同的上下文可以是相同的,但是引用的对象,包括该对象中的属性,绝不能由容器在上下文之间共享。
It's a really terrible idea, but I wonder if the JSESSIONID cookie is simply re-used and the actual session context destroyed. Can you still acess state (i.e. attributes) of the invalidated session?
这是一个非常糟糕的主意,但我想知道 JSESSIONID cookie 是否只是简单地重新使用而实际的会话上下文被破坏了。您仍然可以访问无效会话的状态(即属性)吗?
