- 浏览: 2552698 次
- 性别:
- 来自: 成都
文章分类
最新评论
-
nation:
你好,在部署Mesos+Spark的运行环境时,出现一个现象, ...
Spark(4)Deal with Mesos -
sillycat:
AMAZON Relatedhttps://www.godad ...
AMAZON API Gateway(2)Client Side SSL with NGINX -
sillycat:
sudo usermod -aG docker ec2-use ...
Docker and VirtualBox(1)Set up Shared Disk for Virtual Box -
sillycat:
Every Half an Hour30 * * * * /u ...
Build Home NAS(3)Data Redundancy -
sillycat:
3 List the Cron Job I Have>c ...
Build Home NAS(3)Data Redundancy
Session Fixation Security Issue(4)Verify Addtional Information
I will try to verify the client ip and client user agent.
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class SessionFixationProtectionFilter implements Filter {
private final static Log log = LogFactory
.getLog(SessionFixationProtectionFilter.class);
private static final String SESSION_IP_FILTER_CONSTANT = "session_ip_filter_constant";
private static final String SESSION_USER_AGENT_FILTER_CONSTANT = "session_user_agent_filter_constant";
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
String current_clientip = "127.0.0.1";
String current_clientagent = "useragent";
String session_clientip = "";
String session_clientagent = "";
if (request.getRemoteAddr() != null
&& !"".equals(request.getRemoteAddr())) {
current_clientip = request.getRemoteAddr();
}
if (request.getHeader("User-Agent") != null
&& !"".equals(request.getHeader("User-Agent"))) {
current_clientagent = request.getHeader("User-Agent");
}
HttpSession session = request.getSession(false);
if (session == null && request.isRequestedSessionIdValid() == false) {
// session is empty, nothing need to do
log.debug(" There is no session here !");
chain.doFilter(request, response);
return;
}
if (session.getAttribute(SESSION_IP_FILTER_CONSTANT) != null) {
session_clientip = (String) session
.getAttribute(SESSION_IP_FILTER_CONSTANT);
}
if (session.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT) != null) {
session_clientagent = (String) session
.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT);
}
log.debug(" current ip = " + current_clientip + " session ip = "
+ session_clientip);
log.debug(" current useragent = " + current_clientagent
+ " session useragent = " + session_clientagent);
if (session_clientip != null && !session_clientip.equals("")) {
// session value is not null, so this is not the first request
if (!session_clientip.equalsIgnoreCase(current_clientip)
|| !session_clientagent
.equalsIgnoreCase(current_clientagent)) {
// the current user is not the previous one, kill the current
// session
String original_session_id = session.getId();
log.debug(" invalidate the old sessionid = "
+ original_session_id);
session.invalidate();
// generate new session
session = request.getSession(true);
log.debug(" newly create sessionid = " + session.getId());
}
}
session.setAttribute(SESSION_IP_FILTER_CONSTANT, current_clientip);
session.setAttribute(SESSION_USER_AGENT_FILTER_CONSTANT,
current_clientagent);
chain.doFilter(request, response);
}
public void destroy() {
}
}
references:
http://en.wikipedia.org/wiki/Session_fixation
I will try to verify the client ip and client user agent.
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class SessionFixationProtectionFilter implements Filter {
private final static Log log = LogFactory
.getLog(SessionFixationProtectionFilter.class);
private static final String SESSION_IP_FILTER_CONSTANT = "session_ip_filter_constant";
private static final String SESSION_USER_AGENT_FILTER_CONSTANT = "session_user_agent_filter_constant";
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
String current_clientip = "127.0.0.1";
String current_clientagent = "useragent";
String session_clientip = "";
String session_clientagent = "";
if (request.getRemoteAddr() != null
&& !"".equals(request.getRemoteAddr())) {
current_clientip = request.getRemoteAddr();
}
if (request.getHeader("User-Agent") != null
&& !"".equals(request.getHeader("User-Agent"))) {
current_clientagent = request.getHeader("User-Agent");
}
HttpSession session = request.getSession(false);
if (session == null && request.isRequestedSessionIdValid() == false) {
// session is empty, nothing need to do
log.debug(" There is no session here !");
chain.doFilter(request, response);
return;
}
if (session.getAttribute(SESSION_IP_FILTER_CONSTANT) != null) {
session_clientip = (String) session
.getAttribute(SESSION_IP_FILTER_CONSTANT);
}
if (session.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT) != null) {
session_clientagent = (String) session
.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT);
}
log.debug(" current ip = " + current_clientip + " session ip = "
+ session_clientip);
log.debug(" current useragent = " + current_clientagent
+ " session useragent = " + session_clientagent);
if (session_clientip != null && !session_clientip.equals("")) {
// session value is not null, so this is not the first request
if (!session_clientip.equalsIgnoreCase(current_clientip)
|| !session_clientagent
.equalsIgnoreCase(current_clientagent)) {
// the current user is not the previous one, kill the current
// session
String original_session_id = session.getId();
log.debug(" invalidate the old sessionid = "
+ original_session_id);
session.invalidate();
// generate new session
session = request.getSession(true);
log.debug(" newly create sessionid = " + session.getId());
}
}
session.setAttribute(SESSION_IP_FILTER_CONSTANT, current_clientip);
session.setAttribute(SESSION_USER_AGENT_FILTER_CONSTANT,
current_clientagent);
chain.doFilter(request, response);
}
public void destroy() {
}
}
references:
http://en.wikipedia.org/wiki/Session_fixation
发表评论
-
Update Site will come soon
2021-06-02 04:10 1679I am still keep notes my tech n ... -
Portainer 2020(4)Deploy Nginx and Others
2020-03-20 12:06 431Portainer 2020(4)Deploy Nginx a ... -
Private Registry 2020(1)No auth in registry Nginx AUTH for UI
2020-03-18 00:56 436Private Registry 2020(1)No auth ... -
Docker Compose 2020(1)Installation and Basic
2020-03-15 08:10 374Docker Compose 2020(1)Installat ... -
VPN Server 2020(2)Docker on CentOS in Ubuntu
2020-03-02 08:04 456VPN Server 2020(2)Docker on Cen ... -
Nginx Deal with OPTIONS in HTTP Protocol
2020-02-15 01:33 356Nginx Deal with OPTIONS in HTTP ... -
PDF to HTML 2020(1)pdftohtml Linux tool or PDFBox
2020-01-29 07:37 405PDF to HTML 2020(1)pdftohtml Li ... -
Elasticsearch Cluster 2019(2)Kibana Issue or Upgrade
2020-01-12 03:25 721Elasticsearch Cluster 2019(2)Ki ... -
Spark Streaming 2020(1)Investigation
2020-01-08 07:19 295Spark Streaming 2020(1)Investig ... -
Hadoop Docker 2019 Version 3.2.1
2019-12-10 07:39 295Hadoop Docker 2019 Version 3.2. ... -
MongoDB 2019(3)Security and Auth
2019-11-16 06:48 241MongoDB 2019(3)Security and Aut ... -
MongoDB 2019(1)Install 4.2.1 Single and Cluster
2019-11-11 05:07 294MongoDB 2019(1) Follow this ht ... -
Monitor Tool 2019(1)Monit Installation and Usage
2019-10-17 08:22 325Monitor Tool 2019(1)Monit Insta ... -
Ansible 2019(1)Introduction and Installation on Ubuntu and CentOS
2019-10-12 06:15 312Ansible 2019(1)Introduction and ... -
Timezone and Time on All Servers and Docker Containers
2019-10-10 11:18 332Timezone and Time on All Server ... -
Kafka Cluster 2019(6) 3 Nodes Cluster on CentOS7
2019-10-05 23:28 283Kafka Cluster 2019(6) 3 Nodes C ... -
K8S Helm(1)Understand YAML and Kubectl Pod and Deployment
2019-10-01 01:21 326K8S Helm(1)Understand YAML and ... -
Rancher and k8s 2019(5)Private Registry
2019-09-27 03:25 362Rancher and k8s 2019(5)Private ... -
Jenkins 2019 Cluster(1)Version 2.194
2019-09-12 02:53 444Jenkins 2019 Cluster(1)Version ... -
Redis Cluster 2019(3)Redis Cluster on CentOS
2019-08-17 04:07 373Redis Cluster 2019(3)Redis Clus ...
相关推荐
**会话固定攻击(Session Fixation)** 会话固定攻击是一种网络安全性问题,攻击者通过在用户登录前预先设定一个已知的会话ID(Session ID),然后在用户登录后继续使用这个固定的会话ID,从而能够控制或劫持用户的...
在Spring Security中,会话管理主要涉及到会话固定防护(Session Fixation Protection)和会话超时(Session Timeout)。 2. **会话固定防护** - 会话固定攻击是一种常见的安全威胁,攻击者通过获取用户的会话ID来...
4. **删除Session值**:如果需要移除某个Session数据,类中可能会有一个`unset_session_data`方法,接收键名作为参数,从Session中移除对应的数据。 5. **销毁Session**:`destroy_session`方法可能是用来结束当前...
4. **会话管理**:处理会话相关的安全问题,如会话固定攻击(Session Fixation)和会话超时。 5. **加密工具**:提供密码哈希、随机数生成等加密功能,确保密码安全存储。 **Spring Security 配置** Spring ...
### J2EE的13种核心技术详解 #### 引言 Java从最初的浏览器脚本语言逐渐进化成为服务器端开发的主流技术,其中J2EE(Java 2 Platform, Enterprise Edition)平台扮演了至关重要的角色。J2EE由一系列服务、APIs和...
The book discusses techniques for managing sessions securely, including session fixation prevention and secure session handling. 6. **Implementing Authentication and Authorization**: Strong ...
3. 会话管理:Spring Security可以管理和监控用户会话,防止会话固定攻击(Session Fixation)和会话劫持(Session Hijacking),同时支持会话超时和跨站请求伪造(CSRF)防护。 三、Spring Security 3.1特性 1. ...
4. **会话管理**:Spring Security提供了会话管理功能,可以防止会话固定攻击(Session Fixation)、实现会话超时以及单点登录(Single Sign-On, SSO)。 5. **异常处理**:当安全规则不满足时,Spring Security会...
在Web开发中,Session是一种非常...在实际开发中,还需要考虑到Session的过期策略、安全性(防止Session Hijacking和Session Fixation攻击)以及性能优化(如Session的持久化存储和集群环境下的Session共享)等问题。
2. **防止Session Fixation**:在用户成功登录后,重新生成session ID,避免攻击者利用预先知道的session ID进行攻击。 3. **定期刷新session**:设置合理的session超时时间,并在用户活动时更新session的最后活跃...
此外,SpringSecurity还提供了会话管理功能,包括会话固定保护(Session Fixation Protection)和会话超时(Session Timeout)等,以防止会话劫持和会话固定攻击。它还集成了Remember Me服务,允许用户在一定时间内...
- **防止Session Fixation攻击**:通过在用户登录后重新生成Session ID来防止此类攻击,确保即使Session被恶意复制,攻击者也无法继续使用。 ### 方法安全控制 Spring Security不仅限于Web层的安全控制,还提供了...
10. **Session Management**:Spring Security提供了丰富的会话管理策略,可以防止会话固定攻击(session fixation)、超时管理以及会话并发控制。 在实际开发中,我们可以通过XML或Java配置来集成Spring Security...
5. **会话管理(Session Management)**:SpringSecurity可以控制会话的创建、生命周期和并发控制,防止会话固定攻击(Session Fixation)和会话劫持(Session Hijacking)。 6. **CSRF防护(Cross-Site Request ...
6. **安全性考虑**:使用memcached共享session时,需要注意安全问题,例如防止session hijacking(会话劫持)和session fixation攻击。可以使用HTTPS、定期刷新session ID、限制session的有效范围等方式增强安全性。...
它可以通过配置防止会话固定攻击(session fixation)和会话超时(session timeout)等问题。 4. **过滤器链**:SpringSecurity的核心是Filter Security Interceptor(FSI)过滤器链,它在每个HTTP请求中检查安全性...
Spring Security提供了一套全面的会话管理机制,防止会话固定攻击(Session Fixation)和会话劫持(Session Hijacking)。它可以监控和控制会话创建、超时、复制和销毁。例如,SessionManagementConfigurer可以配置...
5. **会话管理(Session Management)**:Spring Security可以控制会话的创建、销毁以及会话固定攻击(Session Fixation)防护。默认情况下,Spring Security会自动处理会话管理。 6. **密码加密(Password ...
4. **会话管理**:Spring Security提供了会话管理功能,可以防止会话固定攻击(Session Fixation),并能控制单个用户的最大并发会话数量。 5. **CSRF保护**:Spring Security默认开启CSRF防护,通过生成并验证CSRF...
至于`<session-management>`元素下的`<session-fixation-protection>`,它用于防止会话固定攻击,策略`migrateSession`意味着在用户登录后创建新的会话,以确保即使攻击者知道旧的会话ID也无法继续访问系统。...