注销日期和时间,无需登录
[英]logout date and time without login
问题描述
Actually I have a serious problem : I saw that somebody has accessed my site from japan while i had not given any login id and password to unauthorized users. 
实际上我有一个严重的问题:我看到有人从日本访问过我的网站,而我没有向未经授权的用户提供任何登录ID和密码。 I alloted userids and passwords to only authenticated users and i am tracking login, logout time and login and logout IP Addresses details when an authenticated user is logged in. But i found that in my database there is no login time,login userid, login IP address but there is logout time, Logout IP address present in my database where userid is null. 我将用户ID和密码分配给只有经过身份验证的用户,我正在跟踪登录,注销时间以及登录和注销IP地址详细信息,当经过身份验证的用户登录时。但我发现在我的数据库中没有登录时间,登录用户ID,登录IP地址,但有注销时间,我的数据库中存在注销IP地址,其中userid为null。 How is it possible??? 这怎么可能??? A person from Japan has logged out from my site on 16:20:18 where as he has not logged in how?? 一位来自日本的人已于16:20:18从我的网站退出,因为他还没有登录如何? Logout without Login? 没有登录注销?
Need help from experts Please 需要专家帮助请
My web application is of jsp, servlets,java classes and oracle 10g : I have given the following protection: 我的Web应用程序是jsp,servlets,java类和oracle 10g:我给出了以下保护:
1. CSRF Protection
2. SQL Injection protection
3. XSS Protection
4. No Broken Authentication and session
Very soon i am going to put SSL. 我很快就会放入SSL。
Authentication servlet: 身份验证servlet:
HttpSession session1 = request.getSession(false);
PrintWriter out = response.getWriter();
try{
if(request.getMethod().equalsIgnoreCase("POST")){
String user="";
String timenow="";
String strQuery="";
String today="";
String tour="";
try{
String useridfinal = (String)request.getParameter("userid");
String userpassfinal = (String)request.getParameter("userpassword");
Pattern p10 = Pattern.compile("[A-Z0-9a-z]+");// XSS checking
Matcher m10 = p10.matcher(useridfinal);
boolean b10 = m10.matches();
Pattern p11 = Pattern.compile("[A-Z!_,.a-z0-9]+");// XSS checking
Matcher m11 = p11.matcher(userpassfinal);
boolean b11 = m11.matches();
if(useridfinal == null || b10==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
else if(userpassfinal == null || b11==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
else{
try {
dbconnection db= new dbconnection();
db.getConnection();
PreparedStatement ps=null;
PreparedStatement ps2=null;
ResultSet rs=null;
ResultSet rs1=null;
String ipadd="";
try {
ipadd= request.getRemoteAddr();//tracking IP address
}
catch(Exception e) {
}
SimpleDateFormat sdfDate = new SimpleDateFormat("dd-MM-yy HH:mm:ss");
Date now = new Date();
String strDate = sdfDate.format(now);
if(request.getParameter("userid")!=null &&
(request.getParameter("userid") == null ? "" != null : !request.getParameter("userid").equals("")) && request.getParameter("userpassword")!=null &&
(request.getParameter("userpassword") == null ? "" != null : !request.getParameter("userpassword").equals("")))
{
if ( session1 != null) {
session1.invalidate(); }
session1 = request.getSession(true);
String s=(String)useridfinal;
MessageDigest m=MessageDigest.getInstance("MD5");
m.update(s.getBytes(),0,s.length());
String encuseridfinal=(new BigInteger(1,m.digest()).toString(16));
String s1=(String)userpassfinal;
MessageDigest m1=MessageDigest.getInstance("MD5");
m1.update(s1.getBytes(),0,s1.length());
String encuserpassfinal=(new BigInteger(1,m1.digest()).toString(16));
ps= db.con.prepareStatement("select * from login where loginid=? and loginpass=? ");
ps.setString(1, useridfinal);
ps.setString(2, encuserpassfinal);// encrypted userpassword
try {
rs=ps.executeQuery();
} catch (SQLException ex) {
}
int count=0;
while(rs.next())
{
count++;
try {
//Initialize SecureRandom
//This is a lengthy operation, to be done only upon
//initialization of the application
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
//generate a random number
String randomNum = new Integer( prng.nextInt() ).toString();
//get its digest
MessageDigest sha = MessageDigest.getInstance("SHA-1");
byte[] result = sha.digest( randomNum.getBytes() );
String csrf="";
csrf=hexEncode(result);
try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
tour=strDate1+" "+today;
try{
ps2 = db.con.prepareStatement("insert into logindetails (login_id, login_dt, login_ipaddress) values (?, to_date(?, 'DD-MM-YY hh24:mi:ss'),?) ");
}
catch(Exception e){
}
ps2.setString(1, useridfinal);
try{
ps2.setString(2, tour);
}
catch(Exception e){}
try{
ps2.setString(3, ipadd);
}
catch(Exception e){}
try {
rs1=ps2.executeQuery();
}
catch(SQLException ex){
}
rs1.close();
ps2.close();
}
catch(Exception e){
}
session1.setAttribute("useridfinal", useridfinal);
session1.setAttribute("csrftoken", csrf); //csrf token generation
response.sendRedirect("home.jsp");
session1.setAttribute("authenticated", true);
}
catch(Exception e){}
}
try{
rs.close();
}
catch(Exception e){}
try{
ps.close();
}
catch(Exception e){}
try{
db.removeConnection();
}
catch(Exception e){}
if(count==0)
{
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
}
else {
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
} catch (Exception e) {
}
}
} catch (Exception e) {
out.println("please try later");
}
}
else{
response.sendRedirect("login.jsp");
}
} catch (Exception e) {
response.sendRedirect("login.jsp");
}
processRequest(request, response);
}
function() {// For generating secure token
return token;
}
Signout Code 注销码
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META NAME="ROBOTS" CONTENT="NONE">
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">
</head>
<body>
<%
String user="";
HttpSession session1 = request.getSession(false);
if(session1.getAttribute("useridfinal")!=null &&
session1.getAttribute("useridfinal")!="")
{
user = session1.getAttribute("useridfinal").toString();
}
String today="";
String tour="";
dbconnection db= new dbconnection();
db.getConnection();
PreparedStatement ps=null;
PreparedStatement ps2=null;
ResultSet rs=null;
ResultSet rs1=null;
try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
String useripadd="";
try {
useripadd= request.getRemoteAddr();
}
catch(Exception e) {
}
tour=strDate1+" "+today;
try{
ps2 = db.con.prepareStatement("insert into logindetails
(loginid,logoutdt,logoutipaddress) values (?,to_date(?, 'DD-MM-YY hh24:mi:ss'),?)");
}
catch(Exception e){
}
ps2.setString(1, user);
try{
ps2.setString(2, tour);
}
catch(Exception e){ }
ps2.setString(3, useripadd);
try {
rs1=ps2.executeQuery();
}
catch(SQLException ex){
out.println(ex);
}
rs1.close();
ps2.close();
db.removeConnection();
}
catch(Exception e){
}
String csrf="";
request.getSession(false).removeAttribute("useridfinal");
request.getSession(false).removeAttribute("csrftoken");
response.setHeader("Pragma","no-cache");
response.setHeader("Cache-Control","no-store");
response.setHeader("Expires","0");
response.setDateHeader("Expires",-1);
session1.invalidate();
response.sendRedirect("login.jsp");
%>
</body>
From the IP address i knew that that the location is japan. 从IP地址我知道该位置是日本。 I do not know how it happened. 我不知道是怎么回事。 Any help please????????? 任何帮助请?????????
2 个解决方案
解决方案1
1 2012-01-13 08:52:49
It may be possible that the they may have used proxy for the login-logout and the user will be of your known person only and he may have access to your database and he want to do something wrong with your system so he login and done something wrong. 他们可能已经使用代理进行登录注销,而用户只能是你的知名人士,他可能有权访问你的数据库,他想对你的系统做错事,所以他登录并做了一些事情错误。 And after that he may have removed his accesstime details. 之后他可能已经删除了他的访问时间细节。
解决方案2
1 已采纳 2012-01-13 10:59:13
Suppose your app is hosted at http://your.host.com/app , and suppose your logout JSP is named logout.jsp. 假设您的应用程序托管在http://your.host.com/app ,并假设您的注销JSP名为logout.jsp。 If I just use my browser and type http://your.host.com/app/logout.jsp in the address bar and hit enter, you'll have a logout without login in your database. 如果我只是使用我的浏览器并在地址栏中键入http://your.host.com/app/logout.jsp并按Enter键,您将在数据库中无需登录即可注销。 No need to crack anything. 不需要破解任何东西。
Another possibility is that, since you ignore basically any exception that occurs, the login has succeeded but the insert into the database has failed. 另一种可能性是,由于您基本上忽略了发生的任何异常,因此登录成功但插入数据库失败。 It's certainly that which happened, since to insert the login in database, you use executeQuery instead of using executeUpdate . 这肯定发生了,因为要在数据库中插入登录,您使用executeQuery而不是使用executeUpdate 。
Your code is really, really, terrible. 你的代码非常非常可怕。 You should learn to indent code, use JDBC correctly, handle exceptions correctly, use transactions instead of autocommit, and close resultsets, statements and connections in finally blocks. 您应该学习缩进代码,正确使用JDBC,正确处理异常,使用事务而不是自动提交,以及关闭finally块中的结果集,语句和连接。 And Java code in JSP is really bad practice. JSP中的Java代码实际上是不好的做法。
Read tutorials, and NEVER do catch(Exception) {} . 阅读教程,永远不要catch(Exception) {} 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.