问题描述
这可能是此问题的重复,但是建议的解决方案对我们而言不可行:
。这样,您的JSESSIONID cookie将不再是会话cookie!这将使您的Web应用程序的安全性稍差一些,因为cookie在关闭浏览器后仍将继续存在。
You could set the max-age of your JSESSIONID in your web.xml. That way your JSESSIONID cookie would no longer be a session cookie! This would make your web application slightly less secure as the cookie would still survive after the browser is closed.
您可以完全放弃HTTP cookie,而。我从来没有亲自配置过它,但是我想这比使用JSESSIONID cookie更安全。但是,在此配置中无法进行会话复制。
You could abandon HTTP cookies altogether and configure Tomcat to do session tracking with the SSL session ID. I've never actually configured it myself, but I would guess that this is more secure than using JSESSIONID cookies. However, session replication is not possible in this configuration.
这篇关于如何从document.execCommand(“ ClearAuthenticationCache”)保护我的JSESSIONID?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!