How to prevent tomcat session hijacking?

后端未结
关注
 3  698
既然无缘 2021-01-31 21:00
In my web.xml I\'ve defined a user-data-constraint for some resources:

      
      
        
          3条回答        

        
                    
            
            
                         
                
              
              
                
                   小蘑菇
                                             
                
                
                (楼主)
            
              
              
                2021-01-31 21:35
              

            
            
                        
I suggest to change the sessionId when you authenticate the session.

In this way the old sessionId becomes useless and session hijacking is impossible.

To change the sessionId in a servlet container:


copy all the attributes of the current session on a temp collection
session.invalidate()
session = req.getSession(true)
fill the new session with the attributes from the temp collection


About SSLID, please note that both client and server are free to close the connection at any time.
When closed a new SSL handshake will happen and a new SSID generated.
So, IMO SSLID is not a reliable way to track (or help to track) sessions.
    
             
                                                        
            
            
              
                
                0
              
                   
                
               讨论(0)
              
                                                  
              
              
                          
             
       
          
              
                                       
     查看其它3个回答


            
                         
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
                              			
        
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复