IBM appcsan扫描安全漏洞--会话标识未更新
appcsan修订建议:
始终生成新的会话,供用户成功认证时登录。 防止用户操纵会话标识。 请勿接受用户浏览器登录时所提供的会话标识
在登录验证成功之后调用下面方法
@SuppressWarnings("unchecked")
private void createNewSession(HttpServletRequest request, HttpServletResponse response) throws Exception {
HttpSession oldSession = request.getSession();
// get the content of old session.
Enumeration<String> attributeNames = oldSession.getAttributeNames();
Map<String, Object> attributeMap = new HashMap<String, Object>();
while(attributeNames != null && attributeNames.hasMoreElements()){
String attributeName = attributeNames.nextElement();
attributeMap.put(attributeName, oldSession.getAttribute(attributeName));
}
oldSession.invalidate();
HttpSession newSession = request.getSession(true);
// put the content into the new session.
for (String key : attributeMap.keySet()) {
newSession.setAttribute(key, attributeMap.get(key));
}
}