ZK中的会话劫持预防
我对 Web 开发领域非常陌生,但我想知道:有人知道 ZK 框架使用什么机制来防止会话劫持吗?
I am extremely new to the web-development scene, but I was wondering: Does anybody know what mechanisms does the ZK framework use in order to prevent session hijacking?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您使用 ZK 和 ZK Spring Security,它会透明地为您处理这个问题。
该机制很简单。最终用户登录后,将创建一个新会话,并将旧会话中的所有属性复制到新会话中(以保持状态)。然后旧会话无效,最终用户从此开始使用新会话。因为“坏人”的旧会话号已经失效,“坏人”无法劫持会话。
If you use ZK and ZK Spring Security, it will handle this transparently for you.
The mechanism is straightforward. After end user login, a new session is created and all attributes in the old session are copied over to the new one(to keep the state). Then the old session is invalidate and the end user works with the new session since. Because the old session number the "bad guy" had already invalidated, no way for the "bad buy" to hijack the session.