java或者jsp中修復會話標識未更新漏洞

appscan掃描出來的。

1. 漏洞產生的原因：

AppScan會掃描“登錄行為”前后的Cookie，其中會對其中的JSESSIONOID（或者別的cookie id依應用而定）進行記錄。在登錄行為發生后，如果cookie中這個值沒有發生變化，則判定為“會話標識未更新”漏洞。

2. AppScan中，對“會話標識未更新”提供了修改建議：

一般修訂建議 始終生成新的會話，供用戶成功認證時登錄。防止用戶操縱會話標識。請勿接受用戶瀏覽器登錄時所提供的會話標識。

3. 依據修改建議修改如下：

   登錄時：

<%
session.invalidate();
Cookie[] cookies=request.getCookies();
if(null!=cookies){
    for(int i=0;i<cookies.length;i++){
        if("JSESSIONID").equalsIgnoreCase(cookies[i].getName()){
            cookies[i].setMaxAge(0);
            response.addCookie(cookies[i]);
        }
    }
}
%>

  退出時：

<%
reponse.setHeader("Pragma","No-cache");
response.setHeader("Cache-Control","no-cache");
response.setDateHeader("Expires",0);
session=request.getSession(true);
session.invalidate();
%>

4. spring security中實現思路：

    第一步：提取舊的session中的所有屬性及值。

    第二步：使舊的session無效。

   第三步：生成新的session，並將舊session的所有屬性和值賦給新的session中。

    /**
     * Called to extract the existing attributes from the session, prior to invalidating it. If
     * {@code migrateAttributes} is set to {@code false}, only Spring Security attributes will be retained.
     * All application attributes will be discarded.
     * <p>
     * You can override this method to control exactly what is transferred to the new session.
     *
     * @param session the session from which the attributes should be extracted
     * @return the map of session attributes which should be transferred to the new session
     */
    protected Map<String, Object> extractAttributes(HttpSession session) {
        return createMigratedAttributeMap(session);
    }

    final HttpSession applySessionFixation(HttpServletRequest request) {
        HttpSession session = request.getSession();
        String originalSessionId = session.getId();
        Map<String, Object> attributesToMigrate = extractAttributes(session);

        session.invalidate();
        session = request.getSession(true); // we now have a new session
        transferAttributes(attributesToMigrate, session);
        return session;
    }

注意： session = request.getSession(true); // we now have a new session

  getSession 

public HttpSession getSession(boolean create)

Returns the current HttpSession associated with this request or,

if if there is no current session and create is true, returns a new session.

If create is false and the request has no valid HttpSession, this method returns null.

To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.

Parameters: true - to create a new session for this request if necessary; false to return null if there's no current session

Returns: the HttpSession associated with this request or null if create is false and the request has no valid session.

5. 一點小總結：

   在登錄或者退出時使用session.invalidate方式修改回話標示未更新，方法最簡單；使用spring-security方式修復方式修改比較全面。