本文探讨了针对会话劫持风险的解决方案——通过使用HTTPS来保护每一个请求,确保jsessionid不会通过不安全的通道发送。文章还介绍了如何配置web.xml以指向HTTPS位置,并避免应用程序将用户导向HTTP地址。此外,还提到了Acegi Security为解决该问题提供的辅助方案。
If session hijacking is considered too significant a risk for your particular application, the only option
is to use HTTPS for every request. This means the jsessionid is never sent across an insecure channel.
You will need to ensure your web.xml-defined <welcome-file> points to an HTTPS location, and the
application never directs the user to an HTTP location. Acegi Security provides a solution to assist
with the latter.
is to use HTTPS for every request. This means the jsessionid is never sent across an insecure channel.
You will need to ensure your web.xml-defined <welcome-file> points to an HTTPS location, and the
application never directs the user to an HTTP location. Acegi Security provides a solution to assist
with the latter.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
