Servlet - 使用 changeSessionId() 改变SessionId 防止会话固定攻击

在会话固定攻击，黑客获取/设置（通过任何方式）另一个人的会话ID。然后，黑客可以冒充他人并获取敏感信息。

Java Servlet 3.1 引入了以下 HttpServletRequest 方法：

String changeSessionId()

此方法将当前会话 id 更改为新的，从而提供针对会话固定攻击的保护。

Servlet 3.1 还引入了HttpSessionIdListener用于接收 HttpSession id 更改通知。

对于 3.1 之前的版本，我们可以使用以下步骤：

HttpSession session = .....
    .....
session.invalidate();
session=request.getSession(true);
//now set data from old session here

例子

在以下示例中，我们将学习如何使用 Servlet 3.1 API 对抗会话固定。

登录 servlet

@WebServlet(name = "userLoginServlet", urlPatterns = {"/login"})
public class LogInServlet extends HttpServlet {
 
  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse resp)
          throws ServletException, IOException {
 
      HttpSession session = req.getSession();
      String userKey = "loggedInUser";
      User user = (User) session.getAttribute(userKey);
      if (user == null) {
          user = loadUserForRequest(req);
          session.setAttribute(userKey, user);
      }
      prepareLogginInfoHtml(user, resp);
      req.changeSessionId();
  }
 
  private void prepareLogginInfoHtml(User user, HttpServletResponse resp)
          throws IOException {
      resp.setContentType("text/html");
      PrintWriter w = resp.getWriter();
      w.write("User logged in " + user.getName());
      w.write("<br/><a href='/balance'>Show Balance</a>");
  }
 
  private User loadUserForRequest(HttpServletRequest req) {
      //returning a dummy user
      return new User("1", "Mike", "12312",
              BigDecimal.valueOf(200000));
  }
}

public class User {
  private String id;
  private String name;
  private String accountNumber;
  BigDecimal currentBalance;
    .............
}

用于登录后处理的另一个 servlet

@WebServlet(name = "userBalanceServlet", urlPatterns = {"/balance"})
public class BalanceServlet extends HttpServlet {
 
  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse resp)
          throws ServletException, IOException {
 
      HttpSession session = req.getSession();
      User user = (User) session.getAttribute("loggedInUser");
      if (user == null) {
          RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/login");
          dispatcher.forward(req, resp);
      } else {
          prepareBalanceInfoHtml(user, resp);
          req.changeSessionId();
      }
  }
 
  private void prepareBalanceInfoHtml(User user, HttpServletResponse resp) throws IOException {
      resp.setContentType("text/html");
      PrintWriter w = resp.getWriter();
      w.write("User logged in " + user.getName());
      w.write("<br/>Balance: " + user.getCurrentBalance());
  }
}

实现 AppSessionIdListener

@WebListener
public class AppSessionIdListener implements HttpSessionIdListener {
 
  @Override
  public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) {
      System.out.println("oldSessionId: " + oldSessionId);
      System.out.println("newSessionId: " + event.getSession().getId());
 
  }
}

mvn jetty:run

在本教程中，我们使用 Jetty 插件而不是 tomcat7-maven-plugin，因为 tomcat 插件不支持 Servlet 3.1（它支持最高 3.0 的版本）。

输出

点击“显示余额”链接：

服务器输出

正如我们的 HttpSessionIdListener 打印的那样：

.....
oldSessionId: node0md9ox8wtj0e91lr5kpuzw7dql0
newSessionId: node01jl2v0v5bvfwgxvhr7ao2f52z1
....
oldSessionId: node0nyhkl2ej1ret1716bwjwyl9a92
newSessionId: node0mqnz9mrwfg8a1it5hxc7rdg3v3
....

Chrome 检查 - 网络选项卡

示例项目

使用的依赖项和技术：

• javax.servlet-api 3.1.0 Java Servlet API
• jetty-maven-plugin 9.4.1.v20170120：Jetty maven 插件。
• JDK 1.8
• Maven 3.3.9