如何使用户会话无效
[英]how to invalidate a users session
问题描述
I work on an enterprise weblogic portal environment. 
我在企业weblogic门户环境中工作。 Lets say the portal is on a.whereiwork.com and has many wsrp portlets as well as several iframed portlets that point to pages in another subdomain, b.whereiwork.com (legacy app we also own the codebase for). 可以说该门户网站位于a.whereiwork.com上,并且具有许多wsrp portlet以及几个iframed portlet,这些portlet指向另一个子域b.whereiwork.com(我们也拥有其代码库的旧版应用程序)中的页面。 We have a current issue where users log out of the portal but when they log back in their session on b.whereiwork.com is persisted and we have some issues getting the JSESSION ID cleared on that subdomain. 当前存在一个问题,用户注销门户网站,但是当他们重新登录b.whereiwork.com上的会话时,该问题仍然存在,并且在清除该子域上的JSESSION ID方面存在一些问题。
This represents a major security issue as the next person to login on that computer might not be the same user (for instance someone logs in then out and his wife logs in and sees data from his session). 这是一个主要的安全问题,因为下一个要在该计算机上登录的人可能不是同一用户(例如,某人登录然后注销,而他的妻子登录并查看其会话中的数据)。
One thing we thought to try is add an iframe to the subdomain on the logout page which invalidates the session on the subdomain. 我们想尝试的一件事是在注销页面的子域中添加一个iframe,这会使子域中的会话无效。 Security is a little different on the other subdomain an its more complicated than I can really go into here. 其他子域的安全性略有不同,它比我在这里实际讨论的要复杂得多。 Take my word for it - it wont work. 相信我-这是行不通的。
The best idea we currently have is to add a top level servlet filter on b.whereiwork.com that checks to see if the security cookie has changed and then call session.invalidate(). 目前,我们最好的想法是在b.whereiwork.com上添加一个顶级servlet过滤器,以检查安全性cookie是否已更改,然后调用session.invalidate()。 This way if the user logs out we can leave their session as is unless they try to log back in. We can detect that it is a different login because the login is tracked in a separate cookie. 这样,如果用户注销,我们可以保留他们的会话,除非他们尝试重新登录。我们可以检测到它是不同的登录名,因为在单独的cookie中跟踪了该登录名。
So my question is. 所以我的问题是。 Is there any issue calling session.invalidate() in a top level filter. 在顶级过滤器中调用session.invalidate()是否有任何问题。 Assume that other filters in the filter chain will need to create objects in the session. 假定过滤器链中的其他过滤器将需要在会话中创建对象。 Im guessing after calling invalidate on the session that the page would return a different JSESSIONID? 我在会话上调用无效后猜测页面将返回不同的JSESSIONID?
Any other suggestions that might be cleaner would be appreciated. 任何其他可能更干净的建议将不胜感激。
2 个解决方案
解决方案1
0 2014-02-03 08:02:13
Ive decided to use jsonp to send a crossdomain message to the other domain to clear the session. 我已经决定使用jsonp向其他域发送跨域消息以清除会话。 Seems to be working. 似乎正在工作。
解决方案2
0 2014-02-03 09:08:42
The best approach will be to have the same security token across different servers. 最好的方法是在不同服务器之间具有相同的安全令牌。 But as you said that is not possible. 但是正如您所说,这是不可能的。 The next solution can be to use HTTPSessionListener to clear the session when the user logs out of main domain or when the session times out. 下一个解决方案是当用户注销主域或会话超时时,使用HTTPSessionListener清除会话。 That will ensure that the sessions across domains are in sync. 这将确保跨域的会话是同步的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.