1

我正在用 Java 开发一个似乎有会话劫持漏洞的应用程序。

为了防止这种情况,建议JSESSIONID在登录后为用户更改

我的应用程序基于 Struts 2.0 和 Tomcat 7,并且我已经实现了一个代码来更改JSESSIONID用户登录后的内容。

但是我在运行代码时遇到了以下问题。

java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
at org.apache.catalina.session.StandardSessionFacade.setAttribute          (StandardSessionFacade.java:130)
at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)

这是我写的代码:

HttpSession httpSession = ServletActionContext.getRequest().getSession();
HashMap<String, Object> attributes = new HashMap<String, Object>(); 
Enumeration<String> enames = httpSession.getAttributeNames();
while ( enames.hasMoreElements() )
{
String name = enames.nextElement();   
if ( !name.equals( "JSESSIONID" ) )
{ 
attributes.put( name, httpSession .getAttribute( name ) );
}      
}   
httpSession.invalidate();       
httpSession = request.getSession(true);                     
for ( Map.Entry<String, Object> et : attributes.entrySet() )
{
userInfoMap.put( et.getKey(), et.getValue() );
}   
getSession().put("userid",userId);//Setting value to session
4

1 回答 1

0

Usually when you invalidate the session you should redirect to some action, so the new session map will injected to it if the action implement SessionAware.

But in the code you posted you are trying to reuse the session map while it contains an old session.

于 2013-06-04T13:23:15.263 回答