- 浏览: 270673 次
- 性别:
- 来自: 杭州
文章分类
最新评论
-
muyufenghua:
public static <T super B> ...
浅谈Java泛型中的extends和super关键字 -
wantodare:
class Test1 {
{
a=1;
}
pr ...
Java对象初始化详解 -
wubo2qml:
问下如何进行列中数字大小的比较。我看了几个过滤器,最接近的是S ...
利用Filter进行HBase查询 -
blackproof:
rowkey是A_B我知道要的A集合,也知道要的B范围不用自定 ...
利用Filter进行HBase查询 -
bin_1715575332:
文章不错,尤其了后半部分讲解一些原理。
利用Filter进行HBase查询
jsessionid是Java Web Server(即Servlet/JSP Server)中为了防止客户端屏蔽cookie而在URL中放置的sessionid的统称。支持Servlet标准的Web容器,例如Tomcat,都支持以URL重写的方式在URL中加入jsessionid。目前在大量的网站中都有用到,但是其存在的一些问题被越来越多的人认为是有害的,并且建议不适用jsessionid。
使用jsessionid存在问题主要有一下几点:
既然存在上面的问题,我们就会想到让web容器禁用URL重写功能。不幸的是,Servlet规范并没有定义一个标准的方法来禁用URL重写jsessionid,导致很多web容器本身就不提供禁用URL重写jsessionid的方法。
The solution is to create a servlet filter which will intercept calls to HttpServletRequest.encodeURL() and skip the generation of session identifiers. This will require a servlet engine that implements the Servlet API version 2.3 or later (J2EE 1.3 for you enterprise folks). Let's start with a basic servlet filter:
We don't need to be concerned with the init() and destroy() methods; let's focus on doFilter(). First, let's exit quickly if for some reason the current request is non-HTTP, and cast the request and response objects to their HTTP-specific equivalents:
Next, let's invalidate any sessions that are backed by a URL-encoded session id. This prevents an attacker from generating a valid link. Just because we won't be generating session-encoded links doesn't mean someone else won't try:
To disable the default URL-encoding functionality, we need to wrap the existing HttpServletResponse object. Fortunately, the Servlet API provides just such a class ready-made in HttpServletResponseWrapper. We could subclass it to provide our own handling, but this is a trivial enough change that an anonymous inner class will do nicely:
You may notice that we have overridden four methods, not one. encodeRedirectURL is used to encode redirected URLs, which can sometimes require different logic to determine if session identifiers are required. The other two methods are deprecated, but are included here for completeness.
Finally, we need to pass the original request and our response wrapper to the next filter in the chain:
Our servlet filter is now written, but we still need to tell our servlet container about it. For this, we need to add the following to web.xml:
This registers our filter with the servlet container, and maps it to all requests. For best results, the filter mapping should be placed above any other filter mappings to prevent any calls to encodeURL from slipping through.
代码见附件
Update: http://boncey.org/2007_1_8_purging_jsessionid This site offers some additional advice using mod_rewrite.
原文:http://randomcoder.com/articles/jsessionid-considered-harmful
Improved Session Tracking:http://www.mojavelinux.com/blog/archives/2006/09/improved_session_tracking/
使用jsessionid存在问题主要有一下几点:
- Every link on your site needs manual intervention Cookieless sessions are achieved in Java by appending a string of the format ;jsessionid=SESSION_IDENTIFIER to the end of a URL. To do this, all links emitted by your website need to be passed through either HttpServletRequest.encodeURL(), either directly or through mechanisms such as the JSTL <c:out /> tag. Failure to do this for even a single link can result in your users losing their session forever.
- Using URL-encoded sessions can damage your search engine placement To prevent abuse, search engines such as Google associate web content with a single URL, and penalize sites which have identical content reachable from multiple, unique URLs. Because a URL-encoded session is unique per visit, multiple visits by the same search engine bot will return identical content with different URLs. This is not an uncommon problem; a test search for ;jsessionid in URLs returned around 79 million search results.
- It's a security risk Because the session identifier is included in the URL, an attacker could potentially impersonate a victim by getting the victim to follow a session-encoded URL to your site. If the victim logs in, the attacker is logged in as well - exposing any personal or confidential information the victim has access to. This can be mitigated somewhat by using short timeouts on sessions, but that tends to annoy legitimate users.
既然存在上面的问题,我们就会想到让web容器禁用URL重写功能。不幸的是,Servlet规范并没有定义一个标准的方法来禁用URL重写jsessionid,导致很多web容器本身就不提供禁用URL重写jsessionid的方法。
The solution is to create a servlet filter which will intercept calls to HttpServletRequest.encodeURL() and skip the generation of session identifiers. This will require a servlet engine that implements the Servlet API version 2.3 or later (J2EE 1.3 for you enterprise folks). Let's start with a basic servlet filter:
package com.randomcoder.security; import java.io.IOException; import javax.servlet.*; import javax.servlet.http.*; public class DisableUrlSessionFilter implements Filter { public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // TODO add filter logic here } public void init(FilterConfig config) throws ServletException {} public void destroy() {} }
We don't need to be concerned with the init() and destroy() methods; let's focus on doFilter(). First, let's exit quickly if for some reason the current request is non-HTTP, and cast the request and response objects to their HTTP-specific equivalents:
if (!(request instanceof HttpServletRequest)) { chain.doFilter(request, response); return; } HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response;
Next, let's invalidate any sessions that are backed by a URL-encoded session id. This prevents an attacker from generating a valid link. Just because we won't be generating session-encoded links doesn't mean someone else won't try:
if (httpRequest.isRequestedSessionIdFromURL()) { HttpSession session = httpRequest.getSession(); if (session != null) session.invalidate(); }
To disable the default URL-encoding functionality, we need to wrap the existing HttpServletResponse object. Fortunately, the Servlet API provides just such a class ready-made in HttpServletResponseWrapper. We could subclass it to provide our own handling, but this is a trivial enough change that an anonymous inner class will do nicely:
HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) { public String encodeRedirectUrl(String url) { return url; } public String encodeRedirectURL(String url) { return url; } public String encodeUrl(String url) { return url; } public String encodeURL(String url) { return url; } };
You may notice that we have overridden four methods, not one. encodeRedirectURL is used to encode redirected URLs, which can sometimes require different logic to determine if session identifiers are required. The other two methods are deprecated, but are included here for completeness.
Finally, we need to pass the original request and our response wrapper to the next filter in the chain:
chain.doFilter(request, wrappedResponse);
Our servlet filter is now written, but we still need to tell our servlet container about it. For this, we need to add the following to web.xml:
<filter> <filter-name> DisableUrlSessionFilter </filter-name> <filter-class> com.randomcoder.security.DisableUrlSessionFilter </filter-class> </filter> ... <filter-mapping> <filter-name>DisableUrlSessionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
This registers our filter with the servlet container, and maps it to all requests. For best results, the filter mapping should be placed above any other filter mappings to prevent any calls to encodeURL from slipping through.
代码见附件
Update: http://boncey.org/2007_1_8_purging_jsessionid This site offers some additional advice using mod_rewrite.
原文:http://randomcoder.com/articles/jsessionid-considered-harmful
Improved Session Tracking:http://www.mojavelinux.com/blog/archives/2006/09/improved_session_tracking/
- jsessionid_considered_harmful.rar (2.5 KB)
- 下载次数: 30
发表评论
-
Servlet 3.0新特性
2011-03-11 13:12 1347Servlet 3.0中最主要的两个新特性总结如下: 改变了 ... -
Java中wait与notify方法的使用
2010-05-22 14:09 9464在java多线程编程中 ... -
MySql批量插入数据
2010-04-05 15:55 10648在实际的开发过程中,特别是大型的分布式应用系统,往往会涉 ... -
去掉对Spring BeanFacotry的getBean方法的依赖
2009-12-27 23:52 2712在使用Spring时,有时会碰到这种情况: 引用需要在 ... -
通过HttpServletRequestWrapper解决Tomcat请求乱码问题
2009-11-16 23:08 2222应用一:解决tomcat下中文乱码问题(先来个简单的) 在t ... -
相对路径获取Tomcat Web容器中的资源
2009-08-20 21:36 14419最近做项目碰到个问题,我需要利用velocity模版来渲染 ... -
Jboss是数据源配置
2009-08-16 15:38 2008配置Jboss的数据源非常简单,可以从$JBOSS_HOME\ ... -
Jboss 4.x 端口及其修改
2009-08-07 14:49 2799注:本文中所述内容适合于Jboss 4.x系列应用服务器。 ... -
JBOSS共享安装
2009-08-07 14:36 1918本文内容适合于Jboss 4.x系列应用服务器。 在项目中, ... -
Tomcat热部署
2009-06-24 20:33 3778使用过tomcat的人都知道 ... -
Improved Session Tracking
2009-06-24 01:23 1148Improved Session Tracking Septe ... -
tomcat数据库连接池设置
2009-06-23 16:56 14031.Tomcat中的设置 2.我的工作目录在c:\eclip ... -
ORA-12514:TNS:监听程序当前无法识别连接描述符中请求的服务
2009-06-23 16:47 24921. 首先查看tnsnames.ora ... -
webwork type等于redirect时的参数传递
2009-06-23 02:09 2132Webwork在使用result类型为redirect时,将会 ... -
js跨域问题小结
2009-06-11 15:43 1699js跨域问题小结 javascript出于安全方面的考虑,是不 ... -
Spring共享上下文机制
2009-05-19 15:53 3832对于Spring应用程序上下文的引用基本有两种形式 ... -
webwork result type之redirect&redirect-action
2009-05-09 17:49 3208可能大家都知道在webwork里面如果想重定向到另外一个 ... -
使用javascirpt获取JSON格式的日期
2009-05-08 14:00 1970在用json-lib里的net.sf.json.JSONO ... -
JQuery JSON异步请求中文乱码问题
2009-05-08 13:48 15834最近在用Jquery的getJSON方法进行AJAX异步调 ... -
webwork-2.1.7与Spring2.0整合
2009-05-03 14:00 1437这里使用随webwork2.2发布的ActionAutowir ...
相关推荐
android获取jsessionId和发送jsessionId
tomcat修改jsessionid在cookie中的名称
重定义URL 使其直接进去网页 不用登录 用于:邮件链接直接进入网站
Set-Cookie: JSESSIONID=8AB51DC4244907FD9EBB063C7FD73CBA; Path=/; HttpOnly 解决此类cookie暴露项目路径问题
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED.... * LIABLE FOR ANY DIRECT, ...
Java针对Cookie禁用,给出了解决方案,依然可以保证JSESSIONID的传输。 Java中给出了再所有的路径的后面拼接JSESSIONID信息。 在 Session1Servlet中,使用response.encodeURL(url) 对超链接路径拼接 session的唯一...
Nginx Tomcat 集群的Session 复制,解决了,集群情况下的session复制问题。
避免可能会绕过CVE-2015-5211对RFD攻击的保护,具体取决于通过使用jsessionid路径参数使用的浏览器。
所以解决方案如下: 方法一:url中紧跟servlet/jsp文件名加;jsessionid=sessionId,其中sessionId由HttpSession.getId()得到,如http://localhost:8080/aaa/bbb.jsp;jsessionid=975FCCA6FD6058E92DDE932962A44252?...
1、vue开发后台管理项目,登录后,请求数据每次session都不一致,后台返回未登录,处理方法打开main.js设置: // The Vue build version to load with the `import` command // (runtime-only or standalone) has ...
研究 multipart/form-data 上传协议。内附实例代码,服务端 java,客户端 c#。
色彩基础.作为网页制作工作者参改用不错.资料虽老.但有时要查个东东也很烦.
Cookie的英文原意是“点心”,它是在客户端访问Web服务器时,服务器在客户端硬盘上存放的信息,好像是服务器发送给客户的“点心”。服务器可以根据Cookie来跟踪客户状态,这对于需要区别客户的场合(如电子商务)...
java实现多次HttpURLConnection共享session,发送两次请求共享同一个session,这样做爬虫的时候就可以爬网站登录后能看到的内容了
一个基于vitamio的视频播放器,自己的毕设作品。实现本地播放,和网络视频播放。还有本地音乐播放功能
关于2010那洞 我就不说了 2011那个也不说了 (这两成功率 还是顶高的) s2-013 实战 鸡肋 (要不然这工具也不会丢出来了 最好你自己打个环境来测一下 免得你以为工具不能用) ...jsessionid 能不能搞到 纯属看你人品了
IFrame中Session丢失的解决办法
VMware Tanzu发布安全公告,公布了一个存在于Spring Framework中的反射型文件下载(Reflected File Download,RFD)漏洞CVE-2020-5421。CVE-2020-5421 可通过jsessionid路径参数,绕过防御RFD攻击的保护。先前针对RFD...
cd CVE-2020-9484$ docker build -t tomcat:groovy .$ docker run -d -p 8080:8080 tomcat:groovy开发$ curl 'http://127.0.0.1:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy'...