java或者jsp中修复会话标识未更新漏洞

appscan扫描出来的。

1. 漏洞产生的原因：

AppScan会扫描“登录行为”前后的Cookie，其中会对其中的JSESSIONOID（或者别的cookie id依应用而定）进行记录。在登录行为发生后，如果cookie中这个值没有发生变化，则判定为“会话标识未更新”漏洞。

2. AppScan中，对“会话标识未更新”提供了修改建议：

一般修订建议 始终生成新的会话，供用户成功认证时登录。防止用户操纵会话标识。请勿接受用户浏览器登录时所提供的会话标识。

3. 依据修改建议修改如下：

登录时：

<%
session.invalidate();
Cookie[] cookies=request.getCookies();
if(null!=cookies){
for(int i=0;i<cookies.length;i++){
if("JSESSIONID").equalsIgnoreCase(cookies[i].getName()){
cookies[i].setMaxAge(0);
response.addCookie(cookies[i]);
}
}
}
%>

退出时：

<%
reponse.setHeader("Pragma","No-cache");
response.setHeader("Cache-Control","no-cache");
response.setDateHeader("Expires",0);
session=request.getSession(true);
session.invalidate();
%>

4. spring security中实现思路：

第一步：提取旧的session中的所有属性及值。

第二步：使旧的session无效。

第三步：生成新的session，并将旧session的所有属性和值赋给新的session中。

/**
* Called to extract the existing attributes from the session, prior to invalidating it. If
* {@code migrateAttributes} is set to {@code false}, only Spring Security attributes will be retained.
* All application attributes will be discarded.
* <p>
* You can override this method to control exactly what is transferred to the new session.
*
* @param session the session from which the attributes should be extracted
* @return the map of session attributes which should be transferred to the new session
*/
protected Map<String, Object> extractAttributes(HttpSession session) {
return createMigratedAttributeMap(session);
}

final HttpSession applySessionFixation(HttpServletRequest request) {
HttpSession session = request.getSession();
String originalSessionId = session.getId();
Map<String, Object> attributesToMigrate = extractAttributes(session);

session.invalidate();
session = request.getSession(true); // we now have a new session
transferAttributes(attributesToMigrate, session);
return session;
}

注意： session = request.getSession(true); // we now have a new session

getSession

public HttpSession getSession(boolean create)

Returns the current

HttpSession

associated with this request or,

if if there is no current session and

create

is true, returns a new session.

If

create

is

false

and the request has no valid

HttpSession

, this method returns

null

.

To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.

Parameters:

true

- to create a new session for this request if necessary;

false

to return

null

if there's no current session

Returns: the

HttpSession

associated with this request or

null

if

create

is

false

and the request has no valid session.

5. 一点小总结：

在登录或者退出时使用session.invalidate方式修改回话标示未更新，方法最简单；使用spring-security方式修复方式修改比较全面。