问题
As we know Spring Security is providing JSESSIONID in cookie, based session management solution,it is allowing sharing same JSESSIONID information across multiple tabs of same browser.
As per OWASP guideline, It should not share.
Is there any way to disable this sharing in spring security?
回答1:
My first idea was "It is not really possible to prevent the browser from doing so."
But then I found this
You can use HTML5 SessionStorage (window.sessionStorage). You will generate a random id and save in session Storage per Browser Tab. Then each browser tab has his own Id. https://stackoverflow.com/a/11783754/280244
I hope this helps you to find a solution.
来源:https://stackoverflow.com/questions/19065750/spring-security-how-to-disable-same-session-sharing-across-multiple-tabs-of-sa