会话失效后单击浏览器后退按钮时防止 ViewExpiredException
我试图找出如何防止 Glassfish 中 JSF 登录表单上的 会话固定 3.1. 使用 Servlet 很容易做到,所以我尝试用 JSF 做同样的事情(基于此问题:从 JSF 请求中检索会话 ID 值):
FacesContext fCtx = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) fCtx.getExternalContext().getSession(false);
session.invalidate();
fCtx.getExternalContext().getSession(true);
它似乎有效,但是当我单击浏览器的后退按钮并重新输入登录详细信息我得到:
javax.faces.application.ViewExpiredException: viewId:/index.xhtml - 查看 /index.xhtml 无法恢复。
仅在“刷新”并重新发送后才能再次工作。
原因可能是什么?
I am trying to figure out how to prevent Session Fixation on an JSF login form in Glassfish 3.1.
It was easy to do with Servlets, so I am trying to do the same with JSF (based on this question: Retrieving session ID value from a JSF request):
FacesContext fCtx = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) fCtx.getExternalContext().getSession(false);
session.invalidate();
fCtx.getExternalContext().getSession(true);
It seems to work, but when I click the browser's back button and re-enter login details I get:
javax.faces.application.ViewExpiredException:
viewId:/index.xhtml - View
/index.xhtml could not be restored.
It works again only after "refresh" and resend.
What could be the reason for that?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要指示浏览器不缓存 JSF 页面。创建一个映射为
@WebFilter(servletNames={"facesServlet"})的Filter并在doFilter()方法中执行以下工作将强制浏览器在按下后退按钮时触发全新的 GET 请求。否则,它只会从缓存返回页面,并且表单提交将失败,因为服务器端视图状态随着会话失效而丢失。
You need to instruct the browser to not cache the JSF pages. Create a
Filterwhich is mapped as@WebFilter(servletNames={"facesServlet"})and does the following job indoFilter()methodThis will force the browser to fire a brand new GET request on back button press. It would otherwise only return the page from the cache and the form submit will then fail because the server side view state is been lost with the session invalidation.