appscan掃描出來的。

1. 漏洞產(chǎn)生的原因：

AppScan會掃描“登錄行為”前后的Cookie，其中會對其中的JSESSIONOID（或者別的cookie id依應(yīng)用而定）進(jìn)行記錄。在登錄行為發(fā)生后，如果cookie中這個(gè)值沒有發(fā)生變化，則判定為“會話標(biāo)識未更新”漏洞。

2.?AppScan中，對“會話標(biāo)識未更新”提供了修改建議：

一般修訂建議 始終生成新的會話，供用戶成功認(rèn)證時(shí)登錄。防止用戶操縱會話標(biāo)識。請勿接受用戶瀏覽器登錄時(shí)所提供的會話標(biāo)識。

3. 依據(jù)修改建議修改如下：

? ?登錄時(shí)：

<% session.invalidate(); Cookie[] cookies=request.getCookies(); if(null!=cookies){for(int i=0;i<cookies.length;i++){if("JSESSIONID").equalsIgnoreCase(cookies[i].getName()){cookies[i].setMaxAge(0);response.addCookie(cookies[i]);}} } %>

? 退出時(shí)：

<% reponse.setHeader("Pragma","No-cache"); response.setHeader("Cache-Control","no-cache"); response.setDateHeader("Expires",0); session=request.getSession(true); session.invalidate(); %>

4. spring security中實(shí)現(xiàn)思路：

? ? 第一步：提取舊的session中的所有屬性及值。

? ? 第二步：使舊的session無效。

? ?第三步：生成新的session，并將舊session的所有屬性和值賦給新的session中。

/*** Called to extract the existing attributes from the session, prior to invalidating it. If* {@code migrateAttributes} is set to {@code false}, only Spring Security attributes will be retained.* All application attributes will be discarded.* <p>* You can override this method to control exactly what is transferred to the new session.** @param session the session from which the attributes should be extracted* @return the map of session attributes which should be transferred to the new session*/protected Map<String, Object> extractAttributes(HttpSession session) {return createMigratedAttributeMap(session);}final HttpSession applySessionFixation(HttpServletRequest request) {HttpSession session = request.getSession();String originalSessionId = session.getId();Map<String, Object> attributesToMigrate = extractAttributes(session);session.invalidate();session = request.getSession(true); // we now have a new session transferAttributes(attributesToMigrate, session);return session;}

注意：?session = request.getSession(true); // we now have a new session

? getSession?

public?HttpSession?getSession(boolean?create)

Returns the current?HttpSession?associated with this request or,

if if there is no current session and?create?is true, returns a new session.

If?create?is?false?and the request has no valid?HttpSession, this method returns?null.

To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.

Parameters:?true?- to create a new session for this request if necessary;?false?to return?null?if there's no current session

Returns:?the?HttpSession?associated with this request or?null?if?create?is?false?and the request has no valid session.

5. 一點(diǎn)小總結(jié)：

? ?在登錄或者退出時(shí)使用session.invalidate方式修改回話標(biāo)示未更新，方法最簡單；使用spring-security方式修復(fù)方式修改比較全面。

?

??

轉(zhuǎn)載于:https://www.cnblogs.com/davidwang456/p/3615304.html

總結(jié)

以上是生活随笔為你收集整理的java或者jsp中修复会话标识未更新漏洞的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。