使Session更安全的方法:
1.分配给用户 Session ID 时,同时探明用户使用的浏览器和 IP 地址、端口号,作为验证依据,使非法用户不能进行 Session ID 欺骗。
2.登陆时Session重置,也是一个有效的方法。//request.getSession().invalidate();
encodeURL在附加jsessionid之前还对url做了判断处理:如果url为空字符串(长度为0的字符串),则将url转换为完整的URL(http或https开头的);如果url是完整的URL,但不含任何路径(即只包含协议、主机名、端口,例如http://127.0.0.1),则在末尾加上根路径符号/。
也就是encodeURL如果进行了编码,则返回的URL一定是完整URL而不是相对路径;而encodeRedirectURL则不对URL本身进行处理,只专注于添加jsessionid参数(如果需要)。
package com.cesmart.controller; import java.lang.ProcessBuilder.Redirect; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @Controller public class WebTestUrl { @Autowired protected HttpServletResponse response; @Autowired protected HttpServletRequest request; @RequestMapping("/WebTestUrl") public String webTest() { System.out.println("WebTestUrl"); // System.out.println("getCookies == " + request.getCookies()); System.out.println("getRemoteAddr == " + request.getRemoteAddr()); System.out.println("getRemoteHost == " + request.getRemoteHost()); System.out.println("getRemotePort == " + request.getRemotePort()); System.out.println("hashCode == " + request.getSession().hashCode()); String encodeRedirectUrl = response.encodeURL("/001.html"); System.out.println("encodeRedirectUrl == " + encodeRedirectUrl); // Session重置,就是清空Session request.getSession().invalidate(); System.out.println("getSession == " + request.getSession()); System.out.println("hashCode == " + request.getSession().hashCode()); encodeRedirectUrl = response.encodeURL("/001.html"); System.out.println("encodeRedirectUrl == " + encodeRedirectUrl); encodeRedirectUrl = response.encodeRedirectURL("/WebTestUrl2"); System.out.println("encodeRedirectUrl == " + encodeRedirectUrl); String returnString = "redirect:" + encodeRedirectUrl; return returnString; } }
package com.cesmart.controller; import java.lang.ProcessBuilder.Redirect; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class WebTestUrl2 { @Autowired protected HttpServletResponse response; @Autowired protected HttpServletRequest request; @RequestMapping("/WebTestUrl2") public String webTest2() { System.out.println("WebTestUrl2"); System.out.println("getCookies == " + request.getCookies()); System.out.println("getSession == " + request.getSession()); System.out.println("getSession == " + request.getSession().hashCode()); // String encodeRedirectUrl = response.encodeURL("/001.html"); String encodeRedirectUrl = response.encodeRedirectURL("/001.html"); System.out.println("encodeRedirectUrl == " + encodeRedirectUrl); String returnString = "<a href='" + encodeRedirectUrl + "'>购买</a>"; System.out.println("returnString == " + returnString); return returnString; } }
package com.cesmart; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import com.cesmart.entity.TestBean; import com.cesmart.entity.TestBean2; //@Configuration @EnableAutoConfiguration // @ComponentScan(basePackages = "com.cesmart.config") //扫描那些包得到bean @ComponentScan(basePackages = "com.cesmart") // 扫描那些包得到bean.@ComponentScan({"com.teradata.notification","com.teradata.dal"}) public class Application { public static void main(String[] args) { ApplicationContext applicationContext = SpringApplication.run(Application.class, args); TestBean testBean = (TestBean) applicationContext.getBean("testBean"); System.out.println("TestBean == " + testBean.toString()); TestBean2 testBean2 = (TestBean2) applicationContext.getBean("testBean2"); System.out.println("TestBean2 == " + testBean2.toString()); TestBean2 testBean3 = (TestBean2) applicationContext.getBean("testBean3"); System.out.println("TestBean3 == " + testBean2.toString()); } }