- 浏览: 2487350 次
- 性别:
- 来自: 成都
文章分类
最新评论
-
nation:
你好,在部署Mesos+Spark的运行环境时,出现一个现象, ...
Spark(4)Deal with Mesos -
sillycat:
AMAZON Relatedhttps://www.godad ...
AMAZON API Gateway(2)Client Side SSL with NGINX -
sillycat:
sudo usermod -aG docker ec2-use ...
Docker and VirtualBox(1)Set up Shared Disk for Virtual Box -
sillycat:
Every Half an Hour30 * * * * /u ...
Build Home NAS(3)Data Redundancy -
sillycat:
3 List the Cron Job I Have>c ...
Build Home NAS(3)Data Redundancy
Session Fixation Security Issue(4)Verify Addtional Information
I will try to verify the client ip and client user agent.
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class SessionFixationProtectionFilter implements Filter {
private final static Log log = LogFactory
.getLog(SessionFixationProtectionFilter.class);
private static final String SESSION_IP_FILTER_CONSTANT = "session_ip_filter_constant";
private static final String SESSION_USER_AGENT_FILTER_CONSTANT = "session_user_agent_filter_constant";
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
String current_clientip = "127.0.0.1";
String current_clientagent = "useragent";
String session_clientip = "";
String session_clientagent = "";
if (request.getRemoteAddr() != null
&& !"".equals(request.getRemoteAddr())) {
current_clientip = request.getRemoteAddr();
}
if (request.getHeader("User-Agent") != null
&& !"".equals(request.getHeader("User-Agent"))) {
current_clientagent = request.getHeader("User-Agent");
}
HttpSession session = request.getSession(false);
if (session == null && request.isRequestedSessionIdValid() == false) {
// session is empty, nothing need to do
log.debug(" There is no session here !");
chain.doFilter(request, response);
return;
}
if (session.getAttribute(SESSION_IP_FILTER_CONSTANT) != null) {
session_clientip = (String) session
.getAttribute(SESSION_IP_FILTER_CONSTANT);
}
if (session.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT) != null) {
session_clientagent = (String) session
.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT);
}
log.debug(" current ip = " + current_clientip + " session ip = "
+ session_clientip);
log.debug(" current useragent = " + current_clientagent
+ " session useragent = " + session_clientagent);
if (session_clientip != null && !session_clientip.equals("")) {
// session value is not null, so this is not the first request
if (!session_clientip.equalsIgnoreCase(current_clientip)
|| !session_clientagent
.equalsIgnoreCase(current_clientagent)) {
// the current user is not the previous one, kill the current
// session
String original_session_id = session.getId();
log.debug(" invalidate the old sessionid = "
+ original_session_id);
session.invalidate();
// generate new session
session = request.getSession(true);
log.debug(" newly create sessionid = " + session.getId());
}
}
session.setAttribute(SESSION_IP_FILTER_CONSTANT, current_clientip);
session.setAttribute(SESSION_USER_AGENT_FILTER_CONSTANT,
current_clientagent);
chain.doFilter(request, response);
}
public void destroy() {
}
}
references:
http://en.wikipedia.org/wiki/Session_fixation
I will try to verify the client ip and client user agent.
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class SessionFixationProtectionFilter implements Filter {
private final static Log log = LogFactory
.getLog(SessionFixationProtectionFilter.class);
private static final String SESSION_IP_FILTER_CONSTANT = "session_ip_filter_constant";
private static final String SESSION_USER_AGENT_FILTER_CONSTANT = "session_user_agent_filter_constant";
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
String current_clientip = "127.0.0.1";
String current_clientagent = "useragent";
String session_clientip = "";
String session_clientagent = "";
if (request.getRemoteAddr() != null
&& !"".equals(request.getRemoteAddr())) {
current_clientip = request.getRemoteAddr();
}
if (request.getHeader("User-Agent") != null
&& !"".equals(request.getHeader("User-Agent"))) {
current_clientagent = request.getHeader("User-Agent");
}
HttpSession session = request.getSession(false);
if (session == null && request.isRequestedSessionIdValid() == false) {
// session is empty, nothing need to do
log.debug(" There is no session here !");
chain.doFilter(request, response);
return;
}
if (session.getAttribute(SESSION_IP_FILTER_CONSTANT) != null) {
session_clientip = (String) session
.getAttribute(SESSION_IP_FILTER_CONSTANT);
}
if (session.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT) != null) {
session_clientagent = (String) session
.getAttribute(SESSION_USER_AGENT_FILTER_CONSTANT);
}
log.debug(" current ip = " + current_clientip + " session ip = "
+ session_clientip);
log.debug(" current useragent = " + current_clientagent
+ " session useragent = " + session_clientagent);
if (session_clientip != null && !session_clientip.equals("")) {
// session value is not null, so this is not the first request
if (!session_clientip.equalsIgnoreCase(current_clientip)
|| !session_clientagent
.equalsIgnoreCase(current_clientagent)) {
// the current user is not the previous one, kill the current
// session
String original_session_id = session.getId();
log.debug(" invalidate the old sessionid = "
+ original_session_id);
session.invalidate();
// generate new session
session = request.getSession(true);
log.debug(" newly create sessionid = " + session.getId());
}
}
session.setAttribute(SESSION_IP_FILTER_CONSTANT, current_clientip);
session.setAttribute(SESSION_USER_AGENT_FILTER_CONSTANT,
current_clientagent);
chain.doFilter(request, response);
}
public void destroy() {
}
}
references:
http://en.wikipedia.org/wiki/Session_fixation
发表评论
-
Update Site will come soon
2021-06-02 04:10 1612I am still keep notes my tech n ... -
Portainer 2020(4)Deploy Nginx and Others
2020-03-20 12:06 381Portainer 2020(4)Deploy Nginx a ... -
Private Registry 2020(1)No auth in registry Nginx AUTH for UI
2020-03-18 00:56 377Private Registry 2020(1)No auth ... -
Docker Compose 2020(1)Installation and Basic
2020-03-15 08:10 329Docker Compose 2020(1)Installat ... -
VPN Server 2020(2)Docker on CentOS in Ubuntu
2020-03-02 08:04 400VPN Server 2020(2)Docker on Cen ... -
Nginx Deal with OPTIONS in HTTP Protocol
2020-02-15 01:33 301Nginx Deal with OPTIONS in HTTP ... -
PDF to HTML 2020(1)pdftohtml Linux tool or PDFBox
2020-01-29 07:37 346PDF to HTML 2020(1)pdftohtml Li ... -
Elasticsearch Cluster 2019(2)Kibana Issue or Upgrade
2020-01-12 03:25 599Elasticsearch Cluster 2019(2)Ki ... -
Spark Streaming 2020(1)Investigation
2020-01-08 07:19 230Spark Streaming 2020(1)Investig ... -
Hadoop Docker 2019 Version 3.2.1
2019-12-10 07:39 257Hadoop Docker 2019 Version 3.2. ... -
MongoDB 2019(3)Security and Auth
2019-11-16 06:48 204MongoDB 2019(3)Security and Aut ... -
MongoDB 2019(1)Install 4.2.1 Single and Cluster
2019-11-11 05:07 250MongoDB 2019(1) Follow this ht ... -
Monitor Tool 2019(1)Monit Installation and Usage
2019-10-17 08:22 285Monitor Tool 2019(1)Monit Insta ... -
Ansible 2019(1)Introduction and Installation on Ubuntu and CentOS
2019-10-12 06:15 271Ansible 2019(1)Introduction and ... -
Timezone and Time on All Servers and Docker Containers
2019-10-10 11:18 293Timezone and Time on All Server ... -
Kafka Cluster 2019(6) 3 Nodes Cluster on CentOS7
2019-10-05 23:28 239Kafka Cluster 2019(6) 3 Nodes C ... -
K8S Helm(1)Understand YAML and Kubectl Pod and Deployment
2019-10-01 01:21 289K8S Helm(1)Understand YAML and ... -
Rancher and k8s 2019(5)Private Registry
2019-09-27 03:25 323Rancher and k8s 2019(5)Private ... -
Jenkins 2019 Cluster(1)Version 2.194
2019-09-12 02:53 404Jenkins 2019 Cluster(1)Version ... -
Redis Cluster 2019(3)Redis Cluster on CentOS
2019-08-17 04:07 335Redis Cluster 2019(3)Redis Clus ...
相关推荐
安全会话固定测试是一个用于通过注入cookie来验证会话被盗的系统,可让您控制并提高其网站的安全性。
J2EE的13种核心技术,很是用的,初步入门级别
session-fixation-protection B.1.9. 元素 B.1.9.1. max-sessions属性 B.1.9.2. expired-url属性 B.1.9.3. error-if-maximum-exceeded属性 B.1.9.4. session-registry-alias和session-registry-ref属性 B....
session-fixation-protection B.1.9. <concurrent-control> 元素 B.1.9.1. max-sessions 属性 B.1.9.2. expired-url 属性 B.1.9.3. error-if-maximum-exceeded 属性 B.1.9.4. session-registry-alias ...
8、Session固定攻击(SessionFixation) 9、HTTP响应拆分攻击(HTTPResponseSplitting) 10、文件上传漏洞(FileUploadAttack) 11、目录穿越漏洞(DirectoryTraversal) 12、远程文件包含攻击(RemoteInclusion) 13、动态...
8、Session 固定攻击(Session Fixation) 9、HTTP响应拆分攻击(HTTP Response Splitting) 10、文件上传漏洞(File Upload Attack) 11、目录穿越漏洞(Directory Traversal) 12、远程文件包含攻击(Remote Inclusion)...
judd fixation low resolution
8.Session 固定攻击(Session Fixation) 9.HTTP响应拆分攻击(HTTP Response Splitting) 10.文件上传漏洞(File Upload Attack) 11.目录穿越漏洞(Directory Traversal) 12.远程文件包含攻击(Remote Inclusion...
session-fixation-protection B.1.9. <concurrent-control> 元素 B.1.9.1. max-sessions 属性 B.1.9.2. expired-url 属性 B.1.9.3. error-if-maximum-exceeded 属性 B.1.9.4. session-registry-alias 和...
Session Fixation 130 Session Hijacking 131 Session Poisoning 133 Patching the Application to Secure the Session 133 Wrapping It Up 136 Chapter 10 Cross-Site Scripting 137 What Is XSS? 137 Reflected ...
Unorthodox internal fixation of bone lesions in myelomatosis.
第一注视点的位置影响面孔识别的种族效应:一个眼动研究,钟念曾,王哲,运用新旧任务和跟动技术,我们探索了亚洲被试识别本族面孔和他族面孔时的眼动模式和行为绩效。在研究一中,我们考察了亚洲被试在
arr /= fix_arr.max()fix_arr[:,0] *= Wfix_arr[:,1] *= H数据形状必须number of participate x 3(x, y, fixation) 固定可以是1演示版该图像未使用实际的人眼跟踪数据:这使用了玩具数据其他实施 :易于使用的基于...
ANSYS仿真案例Workbench有限元计算实例结果源文件流体fluent模型_fixation-analysis
Nitrogen fixation of faba bean interacting with a non-legume in two contrasting intercropping systems,范分良,余常兵,A field experiment was carried out to quantify biological nitrogen fixation (BNF)...
归功于 )电报用户名: : ( ) 如果看到tdata,请不要登录电报,也许您尝试为其他人制作有效令牌:) #根据我们对( 或 )的研究,发现了一个Session Fixation错误,该错误可能导致帐户被完全劫持,以及绕过两步验证...
The vertx-pac4j project is an easy and powerful security library for Vert.x 3 ... but also advanced features like session fixation and CSRF protection.It's based on Java 8, Vert.x 3.9 and on the v4. It
pac4j project is an easy and powerful security library for JEE web applications and web services which supports authentication and authorization, but also logout and advanced features like session ...
<p xss=removed>In the process of eye tracking , a subject may focus on a point for a longer time, we call it fixation points, the</p><p xss=removed>process between fixation points is a saccade....