Java – jsession / httpsession and application generated session ID

Java

In web applications based on proprietary MVC and authorization models, we recently migrated to spring MVC

On the surface, it seems that in our case, this will be a big disadvantage, because the standard jsession / httpsession seems to be the root of all security evils:

>Session repair (existing code sessions are created only after successful login, so we never need to invalidate the session (). > CSRF – the session will never be passed as a cookie, so this is by no means a risk (God, this is a problematic treatment, because there is no real framework or common solution, so check hdiv and csrfguard) > Test availability – QA can easily allow multiple users to have multiple roles connected to the same server, while jsession cannot. > Consistent httpsessions created and invalidated in various containers (Weblogic, JBoss and WebSphere) > when moving between HTTP and HTTPS, jsession processing is inconsistent

So, in addition to the obvious advantages of "standard", is there any clue about why I entered the jsession route?

Solution

There is not a clear answer to why you should or should not use jsession, but there are still some comments on your concerns:

>Your application should not rely on the fact that the session exists or not It should rely on the fact that the session is valid according to some rules you put on it (user authentication, roles assigned to the user, etc.) > as long as you pay attention not to use get for reasonable operation, CSRF is not a big problem, and it is easy to implement spring MVC when you mention it. > Yes, if you only rely on one browser As a side note, although manual testing is still necessary in some cases, many use cases can benefit from automation, thereby reducing the impact of having to switch from role to role. > Never have a problem But I try to minimize the content of the conversation. > That's a good thing It can prevent you from leaving the secure connection without notice

Now, no matter what option you choose, there will be some disadvantages Having a UUID in every request (and therefore possibly in every get URL) does not allow your users to easily use bookmarks Nor keep their meetings alive

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>