我使用下面的代码来避免会话劫持
我能够成功登录,当我在登录后执行任何其他操作时,它会破坏我的会话并要求再次登录。
请建议,我做错了什么,应该怎么做才能避免会话劫持。
<session-config>
<cookie-config>
<!-- <http-only>true</http-only> -->
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<http-only> true </http-only>
标记应取消注释。同样的行为也可以在java端实现,比如
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// perform login checks and other validations
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly; Secure");
response.sendRedirect("/some path");
}