- 浏览: 273919 次
- 性别:
- 来自: 杭州
文章分类
最新评论
-
muyufenghua:
public static <T super B> ...
浅谈Java泛型中的extends和super关键字 -
wantodare:
class Test1 {
{
a=1;
}
pr ...
Java对象初始化详解 -
wubo2qml:
问下如何进行列中数字大小的比较。我看了几个过滤器,最接近的是S ...
利用Filter进行HBase查询 -
blackproof:
rowkey是A_B我知道要的A集合,也知道要的B范围不用自定 ...
利用Filter进行HBase查询 -
bin_1715575332:
文章不错,尤其了后半部分讲解一些原理。
利用Filter进行HBase查询
jsessionid是Java Web Server(即Servlet/JSP Server)中为了防止客户端屏蔽cookie而在URL中放置的sessionid的统称。支持Servlet标准的Web容器,例如Tomcat,都支持以URL重写的方式在URL中加入jsessionid。目前在大量的网站中都有用到,但是其存在的一些问题被越来越多的人认为是有害的,并且建议不适用jsessionid。
使用jsessionid存在问题主要有一下几点:
既然存在上面的问题,我们就会想到让web容器禁用URL重写功能。不幸的是,Servlet规范并没有定义一个标准的方法来禁用URL重写jsessionid,导致很多web容器本身就不提供禁用URL重写jsessionid的方法。
The solution is to create a servlet filter which will intercept calls to HttpServletRequest.encodeURL() and skip the generation of session identifiers. This will require a servlet engine that implements the Servlet API version 2.3 or later (J2EE 1.3 for you enterprise folks). Let's start with a basic servlet filter:
We don't need to be concerned with the init() and destroy() methods; let's focus on doFilter(). First, let's exit quickly if for some reason the current request is non-HTTP, and cast the request and response objects to their HTTP-specific equivalents:
Next, let's invalidate any sessions that are backed by a URL-encoded session id. This prevents an attacker from generating a valid link. Just because we won't be generating session-encoded links doesn't mean someone else won't try:
To disable the default URL-encoding functionality, we need to wrap the existing HttpServletResponse object. Fortunately, the Servlet API provides just such a class ready-made in HttpServletResponseWrapper. We could subclass it to provide our own handling, but this is a trivial enough change that an anonymous inner class will do nicely:
You may notice that we have overridden four methods, not one. encodeRedirectURL is used to encode redirected URLs, which can sometimes require different logic to determine if session identifiers are required. The other two methods are deprecated, but are included here for completeness.
Finally, we need to pass the original request and our response wrapper to the next filter in the chain:
Our servlet filter is now written, but we still need to tell our servlet container about it. For this, we need to add the following to web.xml:
This registers our filter with the servlet container, and maps it to all requests. For best results, the filter mapping should be placed above any other filter mappings to prevent any calls to encodeURL from slipping through.
代码见附件
Update: http://boncey.org/2007_1_8_purging_jsessionid This site offers some additional advice using mod_rewrite.
原文:http://randomcoder.com/articles/jsessionid-considered-harmful
Improved Session Tracking:http://www.mojavelinux.com/blog/archives/2006/09/improved_session_tracking/
使用jsessionid存在问题主要有一下几点:
- Every link on your site needs manual intervention Cookieless sessions are achieved in Java by appending a string of the format ;jsessionid=SESSION_IDENTIFIER to the end of a URL. To do this, all links emitted by your website need to be passed through either HttpServletRequest.encodeURL(), either directly or through mechanisms such as the JSTL <c:out /> tag. Failure to do this for even a single link can result in your users losing their session forever.
- Using URL-encoded sessions can damage your search engine placement To prevent abuse, search engines such as Google associate web content with a single URL, and penalize sites which have identical content reachable from multiple, unique URLs. Because a URL-encoded session is unique per visit, multiple visits by the same search engine bot will return identical content with different URLs. This is not an uncommon problem; a test search for ;jsessionid in URLs returned around 79 million search results.
- It's a security risk Because the session identifier is included in the URL, an attacker could potentially impersonate a victim by getting the victim to follow a session-encoded URL to your site. If the victim logs in, the attacker is logged in as well - exposing any personal or confidential information the victim has access to. This can be mitigated somewhat by using short timeouts on sessions, but that tends to annoy legitimate users.
既然存在上面的问题,我们就会想到让web容器禁用URL重写功能。不幸的是,Servlet规范并没有定义一个标准的方法来禁用URL重写jsessionid,导致很多web容器本身就不提供禁用URL重写jsessionid的方法。
The solution is to create a servlet filter which will intercept calls to HttpServletRequest.encodeURL() and skip the generation of session identifiers. This will require a servlet engine that implements the Servlet API version 2.3 or later (J2EE 1.3 for you enterprise folks). Let's start with a basic servlet filter:
package com.randomcoder.security; import java.io.IOException; import javax.servlet.*; import javax.servlet.http.*; public class DisableUrlSessionFilter implements Filter { public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // TODO add filter logic here } public void init(FilterConfig config) throws ServletException {} public void destroy() {} }
We don't need to be concerned with the init() and destroy() methods; let's focus on doFilter(). First, let's exit quickly if for some reason the current request is non-HTTP, and cast the request and response objects to their HTTP-specific equivalents:
if (!(request instanceof HttpServletRequest)) { chain.doFilter(request, response); return; } HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response;
Next, let's invalidate any sessions that are backed by a URL-encoded session id. This prevents an attacker from generating a valid link. Just because we won't be generating session-encoded links doesn't mean someone else won't try:
if (httpRequest.isRequestedSessionIdFromURL()) { HttpSession session = httpRequest.getSession(); if (session != null) session.invalidate(); }
To disable the default URL-encoding functionality, we need to wrap the existing HttpServletResponse object. Fortunately, the Servlet API provides just such a class ready-made in HttpServletResponseWrapper. We could subclass it to provide our own handling, but this is a trivial enough change that an anonymous inner class will do nicely:
HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) { public String encodeRedirectUrl(String url) { return url; } public String encodeRedirectURL(String url) { return url; } public String encodeUrl(String url) { return url; } public String encodeURL(String url) { return url; } };
You may notice that we have overridden four methods, not one. encodeRedirectURL is used to encode redirected URLs, which can sometimes require different logic to determine if session identifiers are required. The other two methods are deprecated, but are included here for completeness.
Finally, we need to pass the original request and our response wrapper to the next filter in the chain:
chain.doFilter(request, wrappedResponse);
Our servlet filter is now written, but we still need to tell our servlet container about it. For this, we need to add the following to web.xml:
<filter> <filter-name> DisableUrlSessionFilter </filter-name> <filter-class> com.randomcoder.security.DisableUrlSessionFilter </filter-class> </filter> ... <filter-mapping> <filter-name>DisableUrlSessionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
This registers our filter with the servlet container, and maps it to all requests. For best results, the filter mapping should be placed above any other filter mappings to prevent any calls to encodeURL from slipping through.
代码见附件
Update: http://boncey.org/2007_1_8_purging_jsessionid This site offers some additional advice using mod_rewrite.
原文:http://randomcoder.com/articles/jsessionid-considered-harmful
Improved Session Tracking:http://www.mojavelinux.com/blog/archives/2006/09/improved_session_tracking/
- jsessionid_considered_harmful.rar (2.5 KB)
- 下载次数: 30
发表评论
-
Servlet 3.0新特性
2011-03-11 13:12 1386Servlet 3.0中最主要的两个新特性总结如下: 改变了 ... -
Java中wait与notify方法的使用
2010-05-22 14:09 9498在java多线程编程中 ... -
MySql批量插入数据
2010-04-05 15:55 10681在实际的开发过程中,特别是大型的分布式应用系统,往往会涉 ... -
去掉对Spring BeanFacotry的getBean方法的依赖
2009-12-27 23:52 2744在使用Spring时,有时会碰到这种情况: 引用需要在 ... -
通过HttpServletRequestWrapper解决Tomcat请求乱码问题
2009-11-16 23:08 2310应用一:解决tomcat下中文乱码问题(先来个简单的) 在t ... -
相对路径获取Tomcat Web容器中的资源
2009-08-20 21:36 14467最近做项目碰到个问题,我需要利用velocity模版来渲染 ... -
Jboss是数据源配置
2009-08-16 15:38 2047配置Jboss的数据源非常简单,可以从$JBOSS_HOME\ ... -
Jboss 4.x 端口及其修改
2009-08-07 14:49 2862注:本文中所述内容适合于Jboss 4.x系列应用服务器。 ... -
JBOSS共享安装
2009-08-07 14:36 1951本文内容适合于Jboss 4.x系列应用服务器。 在项目中, ... -
Tomcat热部署
2009-06-24 20:33 3823使用过tomcat的人都知道 ... -
Improved Session Tracking
2009-06-24 01:23 1184Improved Session Tracking Septe ... -
tomcat数据库连接池设置
2009-06-23 16:56 14531.Tomcat中的设置 2.我的工作目录在c:\eclip ... -
ORA-12514:TNS:监听程序当前无法识别连接描述符中请求的服务
2009-06-23 16:47 26561. 首先查看tnsnames.ora ... -
webwork type等于redirect时的参数传递
2009-06-23 02:09 2167Webwork在使用result类型为redirect时,将会 ... -
js跨域问题小结
2009-06-11 15:43 1749js跨域问题小结 javascript出于安全方面的考虑,是不 ... -
Spring共享上下文机制
2009-05-19 15:53 3871对于Spring应用程序上下文的引用基本有两种形式 ... -
webwork result type之redirect&redirect-action
2009-05-09 17:49 3241可能大家都知道在webwork里面如果想重定向到另外一个 ... -
使用javascirpt获取JSON格式的日期
2009-05-08 14:00 1999在用json-lib里的net.sf.json.JSONO ... -
JQuery JSON异步请求中文乱码问题
2009-05-08 13:48 15875最近在用Jquery的getJSON方法进行AJAX异步调 ... -
webwork-2.1.7与Spring2.0整合
2009-05-03 14:00 1476这里使用随webwork2.2发布的ActionAutowir ...
相关推荐
同时,确保服务器允许客户端发送`jsessionId`,这通常默认是开启的,但如果遇到问题,可能需要检查服务器配置。 总结,Android获取和发送`jsessionId`是维持服务器会话的关键步骤。正确处理`jsessionId`可以确保...
CASClient 集群环境的 Session 问题及解决方案 本文将详细介绍 CASClient 集群环境中的 Session 问题及解决方案。CASClient 是一种开源的单点登录系统,能够提供统一的登录和注销机制。但是在集群环境中应用 CAS...
### Tomcat中修改JSessionID在Cookie中的名称 在Tomcat服务器中,默认情况下,用于传递会话标识(即JSessionID)的Cookie名称为“JSESSIONID”。有时,出于安全考虑或其他需求,我们可能需要自定义这个名称。本文将...
重定义URL 使其直接进去网页 不用登录 用于:邮件链接直接进入网站
- 如果`jsessionId`存在于URL中,则通过某种方式(可能是`invalidate`方法)使会话无效,从而达到移除URL中`jsessionId`的目的。 4. **注意点:** - 通过`invalidate`方法使会话无效时需要注意,这会导致所有与该...
【关于集群 cook 覆盖问题及解决方法】 在分布式系统和集群环境中,尤其是在使用WebLogic这样的企业级应用服务器时,跨域Session管理是常见的挑战。WebLogic Server中,两个不同域的应用之间可能存在Session冲突,...
Cookie 路径属性暴露问题可能会导致安全风险,解决这个问题可以通过从代码解决或从容器本身解决两种思路。从代码解决可以通过设置 Cookie 的路径属性来处理问题,而从容器本身解决可以通过配置容器的设置来处理问题...
### Cookie设置httpOnly和secure属性实现及问题 #### 一、引言 在现代Web开发中,保护用户的隐私和数据安全至关重要。其中一种常见的做法就是通过设置Cookie的`httpOnly`和`secure`属性来增强安全性。这两个属性...
标题与描述概述的知识点主要集中在Internet Explorer(IE)的Cookie机制如何引发Session丢失的问题,并探讨了解决方案。本文将深入解析这一现象的原因、影响以及如何有效应对。 ### 一、IE Cookie机制与Session关联...
`标题`中提到的"使用redis解决nginx+tomcat8负载均衡集群session共享问题jar包",实际上是指利用Redis作为中央缓存来存储和共享session数据,以解决负载均衡下的session丢失问题。 **Redis作为Session存储** Redis...
为了解决这个问题,需要在`weblogic.xml`配置文件中添加`session-descriptor`节点,定义新的Session ID名称,如`JSESSIONID1`,并设置适当的Session管理参数。示例如下: ```xml <context-root>/ynwjnw ...
本文将探讨这个问题的原因以及两种可能的解决方案。 **问题分析** 登录前后Cookie不一致的问题可能由以下几个原因引起: 1. **Session ID冲突**:在用户登录过程中,服务器可能会分配一个新的Session ID,但...
因此,在设计解决方案时,应考虑目标用户群体使用的浏览器类型,以确保兼容性和用户体验。 通过上述策略的应用,可以有效解决IFrame环境下Session丢失的问题,提高Web应用的稳定性和安全性。然而,开发者还需持续...
Javaweb项目Session超时解决方案 在Java Web开发中,Session机制为我们提供了许多方便,Session是由浏览器和服务器之间维护的。Session超时理解为:浏览器和服务器之间创建了一个Session,由于客户端长时间(休眠...
本解决方案将详细介绍如何在`CentOS7`上配置`Nginx`以实现`Tomcat`的负载均衡,并利用`Redis`进行Session共享,以提高系统的可扩展性和用户会话的一致性。 首先,我们需要在`CentOS7`上安装`Nginx`。可以使用`yum`...
**Cookie** Cookie是一种在客户端和服务器之间传递信息的技术。...以上就是Cookie和Session的基本概念、创建、使用以及常见问题的解决方案。理解并熟练掌握这两者,对于开发Web应用程序至关重要。
【Resin常见有关问题详解】 Resin是一款由CAUCHO公司开发的高性能Web服务器和应用服务器,它专门支持Servlets和JSP,并以其快速的处理能力而...理解这些常见问题及其解决策略,有助于提升Resin服务器的稳定性和性能。
然而,由于浏览器兼容性问题或安全需求,有时我们需要在不同浏览器间手动处理JSESSIONID。 在Internet Explorer(IE)和非IE浏览器(如Chrome、Firefox)之间转换JSESSIONID时,需要注意以下几点: 1. **Cookie...
这种解决方案可以在Nginx不能直接获取客户端IP或需要更精确控制session分配的情况下提供更好的灵活性。需要注意的是,使用upstream_hash需要确保Nginx版本支持,并且可能需要安装和配置额外的模块。 总结来说,处理...