[英]Spring boot: Requests with an expired Cookie is still available after logging out
In the spring boot project, when the user logouts, we invalidate the cookie with this block of code:在 spring 引导项目中,当用户注销时,我们使用以下代码块使 cookie 失效:
//name = "Token"
//value = "expired"
//age = 0
private void setExpiredCookie(HttpServletResponse response, String name, String value, int age) {
Cookie cookie = new Cookie(name, value);
cookie.setSecure(true); //Send cookie to the server only over an encrypted HTTPS connection
cookie.setHttpOnly(true); //Preventing cross-site scripting attacks
cookie.setPath("/"); //Global cookie accessible every where
cookie.setMaxAge(age); //Deleting a cookie. I Passed the same other cookie properties when you used to set it
response.addCookie(cookie);
}
However, after logout, I tested my website with an application for catching the request and resending it through the repeater, with exact values, such as token and payload.然而,在注销后,我用一个应用程序测试了我的网站,以捕获请求并通过中继器重新发送它,并使用准确的值,例如令牌和有效负载。
I resent a request, for example, to change the email address, and this request, despite logging out , is valid for 15 minutes (for the life of the original cookie).例如,我拒绝了更改 email 地址的请求,尽管已注销,但此请求在 15 分钟内有效(对于原始 cookie 的生命周期)。
What am I missing?我错过了什么? Because I am properly deleting and protecting cookies.
因为我正在妥善删除和保护 cookies。
You are just creating new cookie.您只是在创建新的 cookie。 You should invalidate cookie with session id, which was given to you when you authenticated.
您应该使用 session id 使 cookie 无效,该 id 在您进行身份验证时提供给您。 Simply use this:
只需使用这个:
HttpSession session = httpServletRequest.getSession(false);
session.invalidate();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.