问题描述
我需要防止 Session Fixation,一种特殊类型的会话劫持,在在 JBoss 中运行的 Java Web 应用程序.但是,似乎标准的习惯用法 在 JBoss 中不起作用.这可以解决吗?
I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?
推荐答案
这个缺陷(在此处)指出了解决方法.在 JBoss 中运行的 Tomcat 实例配置为 emptySessionPath="true",而不是默认的 "false".这可以在 .../deploy/jboss-web.deployer/server.xml
中修改;HTTP 和 AJP 连接器都有这个选项.
This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml
; both the HTTP and AJP connectors have this option.
该功能本身用于消除上下文路径(例如,http://example.com/中的foo"foo) 被包含在 JSESSIONID cookie 中.将其设置为 false 将破坏依赖于跨应用程序身份验证的应用程序,其中包括使用某些门户框架构建的内容.然而,它并没有对相关应用程序产生负面影响.
The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.
这篇关于解决 JBoss 中的会话固定问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!