how to refresh JSESSIONID cookie after login

前端未结

关注

 10  1534

我在风中等你 2021-01-30 17:41

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomc

10条回答

耶瑟儿～ (楼主)

2021-01-30 18:18
You will not refresh after but just before. When executing the login action first do:
```
HttpSession session = request.getSession(false);
if (session!=null && !session.isNew()) {
    session.invalidate();
}
```
Then do:
```
HttpSession session = request.getSession(true); // create the session
// do the login (store the user in the session, or whatever)
```
FYI what you are solving with this trick is http://www.owasp.org/index.php/Session_Fixation

Lastly you can disable automatic session creation and only create the session when you really need it. If you use JSP you do that by:
```
<%@page contentType="text/html"
        pageEncoding="UTF-8"
        session="false"%>
```
0 讨论(0)

查看其它10个回答
发布评论:

提交评论
- 加载中...