Session Id Security

Others 2022-05-16 22:10:24 views: 0

session id security issues

 

The most common way is to manage the session id yourself

 

1. After the user logs in, an accessToken is encrypted in the background and returned to the user.

2. When the client receives the accessToken, it can be stored. In the case of the web, it can be stored in session storage, and the mobile phone can also save the accessToken for single sign-on.

3. At the same time, the server will save a copy of accessToken related information on the server, such as: deviceId, IP, accessToken, loginTime, logoutTime, userId, userAgent, etc.

3. Each time the API is requested, the accessToken will be submitted to the server, and the server will compare the accessToken to see if it is correct or not. If it is successful, the service will be executed.

 

 

With Spring Security (suitable for CMS)

 

1. The session id is created by Spring Security.

2. Then send it to the client and save it in the browser's cookie.

3. Each request sends the cookie to the server, then checks for correctness and timeout.

4. This method needs to set httponly and secure in Tomcat. (Prevent XSS attack)

 

 

HttpOnly:

If the "HttpOnly" attribute is set in the cookie, the program (JS script, Applet, etc.) will not be able to read the cookie information, which can effectively prevent XSS attacks.

 

Configuration:

Find context.xml under tomcat/conf/ and modify <Context useHttpOnly="true">

 

secure

When set to true, it means that the created cookie will be transmitted to the server in a secure form, that is, it can only be passed by the browser to the server in an HTTPS connection for session verification. If it is an HTTP connection, this information will not be transmitted. Therefore, the specific content of the cookie will not be stolen.

 

Configuration: (generally used with HTTPS certificates)

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" 

               keystoreFile="/usr/local/tomcat7/server.keystore"

               keystorePass="Envisi0n"  />

 

This content is reproduced, source blog address: http://youyu4.iteye.com/blog/2335405

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326561788&siteId=291194637
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com