stackoom
  简体   繁体   中英

JSP directive session=“false”

 原文  2014-11-21 05:45:48       jsp/ directive

Question

If I don't use session="false" directive in the Login page in the web application, will jSESSIONID be created in Login page itself.

Also then is it possible to hack the application and access the files by using the created jSESSIONID , without even login authentication , just by visting the Login page.

Your response is highly appreciated.

Thanks, Pradeep G

1 answers

solution1
 1  2014-11-21 05:50:22

Here is one possible attack vector:

  1. You open the login page, but don't log in, because it is lunch time.

  2. Bad Actor walks into your office, writes down your jSESSIONID.

  3. After lunch, you log in. That jSESSIONID is now useful.

  4. Bad Actor can use your jSESSIONID from his own browser to look at your session.

Solution:

Create a brand-new jSESSIONID after the successful login (so that the one from before authentication does not suddenly become valuable).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why set a JSP page session = “false” directive? JSP still creates jsessionID with session=false In jsp directive Session Bean and JSP Session Error in JSP taglib directive JSP include directive tag JSP trimSpaces directive not working! JSP Page Directive How to do a hibernate session.close() after showing JSP to avoid lazy=false JSP Page directive formatting in Eclipse
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM