當前位置:
首頁 >
前端技术
> javascript
>内容正文
javascript
Web笔记-session盗用安全问题(Spring Boot获取所有session及提高安全性)
生活随笔
收集整理的這篇文章主要介紹了
Web笔记-session盗用安全问题(Spring Boot获取所有session及提高安全性)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
此處本人的過濾代碼如下:
僅僅是判斷了這個session有沒有被記錄,有沒有attribute!
某些IT論壇,就是這樣的,通過session,就可以進行批量帳號操作,發取http協議。
?
這里演示如下,但我登錄了一個號后:
我把這個sessionid放到其他機器上
也是直接被登錄的(很多論壇就是這樣)
?
這樣就存在很大的安全問題。在此提供一個策略。
?
這里用Spring Boot框架實現。但有session時,記錄并且綁定ip。過濾器那,判斷這個session綁定的IP地址對不對。
對應的流程圖如下:
首先有一點,獲取web的所有session。
這里可以通過這種方式獲取:
package com.it1995.demo.config;import com.it1995.demo.tool.SessionUtil; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration;import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSessionEvent; import javax.servlet.http.HttpSessionListener; import java.util.HashMap; import java.util.Map; import java.util.Set;@Configuration public class HttpSessionConfig {//這里存個備份,可以去掉的private static final Map<String, HttpSession> session = new HashMap<>();@Beanpublic HttpSessionListener httpSessionListener(){return new HttpSessionListener() {@Overridepublic void sessionCreated(HttpSessionEvent se) {System.out.println("sessionCreated");session.put(se.getSession().getId(), se.getSession());//SessionUtil.addIDAndIP(se.getSession().getId(), ""); //這里可以不要,也可以保留}@Overridepublic void sessionDestroyed(HttpSessionEvent se) {System.out.println("sessionDestroyed");session.remove(se.getSession().getId());SessionUtil.removeIDAndIP(se.getSession().getId());}};} }此處用一個工具類:
package com.it1995.demo.tool;import java.util.HashMap; import java.util.Map;public class SessionUtil {static Map<String, String> sessionID_IPMap = new HashMap<>();public synchronized static void addIDAndIP(String sessionID, String ip){sessionID_IPMap.put(sessionID, ip);return;}public synchronized static void removeIDAndIP(String sessionID){sessionID_IPMap.remove(sessionID);}public synchronized static boolean isSessionAndIPRight(String sessionID, String ip){//這里不判斷session了,直接對比里面的值,因為有重復//boolean haveSession = sessionID_IPMap.containsKey(sessionID);//if(!haveSession)// return false;String value = sessionID_IPMap.get(sessionID);if(value.equals(ip))return true;return false;}//測試打印所有public static void printAll(){System.out.println(sessionID_IPMap);} }增加如下的過濾:
BackOperationInterceptor.java
package com.it1995.demo.interceptor;import com.it1995.demo.tool.IpUtil; import com.it1995.demo.tool.SessionUtil; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;public class BackOperationInterceptor implements HandlerInterceptor {@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {System.out.println("BackOperationInterceptor preHandle");String sessionID = request.getSession().getId();String ip = IpUtil.getIpAddr(request);if(SessionUtil.isSessionAndIPRight(sessionID, ip)){return true;}System.out.println("有人盜用session,已經被攔截");response.sendRedirect("/");return false;}@Overridepublic void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {System.out.println("BackOperationInterceptor");} }LoginInterceptor.java
package com.it1995.demo.interceptor;import com.it1995.demo.tool.IpUtil; import com.it1995.demo.tool.SessionUtil; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;public class LoginInterceptor implements HandlerInterceptor {@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {System.out.println("LoginInterceptor preHandle");//System.out.println("SESSION_ID:" + request.getSession().getId() + " ;" + "LoginUser:" + request.getSession().getAttribute("userName"));Object user = (String) request.getSession().getAttribute("userName");if(user == null) {response.sendRedirect("/");return false;}return true;}//調用前提:preHandle返回true//調用時間:Controller方法處理完之后@Overridepublic void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {System.out.println("LoginInterceptor postHandle");// SessionUtil.printAll();} }在login的請求中記錄session
package com.it1995.demo.controller;import com.it1995.demo.tool.IpUtil; import com.it1995.demo.tool.SessionUtil; import com.it1995.demo.tool.ValidCheck; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession;@Controller public class FHController {@GetMapping("/login")public String getLoginPage(){return "login";}@PostMapping("/login")public String userLogin(@RequestParam("username") String username,@RequestParam("password") String password,@RequestParam("Ticket") String ticket,@RequestParam("RandStr") String randStr,HttpServletRequest request, HttpSession session){//System.out.println(username + " " + password + " " + ticket + " " + randStr + " " + IpUtil.getIpAddr(request));Integer evilLevel = ValidCheck.verifyTicket(ticket, randStr, IpUtil.getIpAddr(request));System.out.println("The verifyResult is : " + evilLevel);if(evilLevel <= 30){session.setAttribute("userName", username);//驗證成功,下面對比數據庫//記錄sessionSessionUtil.addIDAndIP(request.getSession().getId(), IpUtil.getIpAddr(request));return "redirect:/controller/home";}else{}return "login";} }程序運行截圖如下:
當有人盜用session:
總結
以上是生活随笔為你收集整理的Web笔记-session盗用安全问题(Spring Boot获取所有session及提高安全性)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: SQL文档阅读笔记-对水平分区和垂直分区
- 下一篇: C++设计模式-桥接模式