Spring 引导:注销后,带有过期 Cookie 的请求仍然可用
[英]Spring boot: Requests with an expired Cookie is still available after logging out
问题描述
In the spring boot project, when the user logouts, we invalidate the cookie with this block of code:
在 spring 引导项目中,当用户注销时,我们使用以下代码块使 cookie 失效:
//name = "Token"
//value = "expired"
//age = 0
private void setExpiredCookie(HttpServletResponse response, String name, String value, int age) {
Cookie cookie = new Cookie(name, value);
cookie.setSecure(true); //Send cookie to the server only over an encrypted HTTPS connection
cookie.setHttpOnly(true); //Preventing cross-site scripting attacks
cookie.setPath("/"); //Global cookie accessible every where
cookie.setMaxAge(age); //Deleting a cookie. I Passed the same other cookie properties when you used to set it
response.addCookie(cookie);
}
However, after logout, I tested my website with an application for catching the request and resending it through the repeater, with exact values, such as token and payload.然而,在注销后,我用一个应用程序测试了我的网站,以捕获请求并通过中继器重新发送它,并使用准确的值,例如令牌和有效负载。
I resent a request, for example, to change the email address, and this request, despite logging out , is valid for 15 minutes (for the life of the original cookie).例如,我拒绝了更改 email 地址的请求,尽管已注销,但此请求在 15 分钟内有效(对于原始 cookie 的生命周期)。
What am I missing?我错过了什么? Because I am properly deleting and protecting cookies.因为我正在妥善删除和保护 cookies。
1 个解决方案
解决方案1
0 2023-01-30 06:50:36
You are just creating new cookie.您只是在创建新的 cookie。 You should invalidate cookie with session id, which was given to you when you authenticated.您应该使用 session id 使 cookie 无效,该 id 在您进行身份验证时提供给您。 Simply use this:只需使用这个:
HttpSession session = httpServletRequest.getSession(false);
session.invalidate();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.