ログイン後にjsessionidを再生産する方法

1493 ワード

Security J#

store the old session

invalidate the old session

generate a new session

copy the data of the old session into the new session

public class RenewSessionValve implements Valve{

 public void invoke(Request request, Response response)
    throws IOException, ServletException {

 	// check for the login URI, only after a login
	// we want to renew the session
	if (req.getRequestURI().
		contains("/portal/j_security_check")) {

 	  // step 1: save old session
	  Session oldSession = req.getSessionInternal(true);
	  SavedRequest saved = (SavedRequest) oldSession.
				getNote(Constants.FORM_REQUEST_NOTE);

	  // step 2: invalidate old session
	  req.getSession(true).invalidate();
	  req.setRequestedSessionId(null);
	  req.clearCookies();

	  // step 3: create a new session and set it to the request
	  Session newSession = req.getSessionInternal(true);
	  req.setRequestedSessionId(newSession.getId());

	  // step 4: copy data pointer from the old session
	  // to the new one
	  if (saved != null) {
	    newSession.setNote(Constants.FORM_REQUEST_NOTE, saved);
	  }

	}

 }

}

reference: http://www.koelnerwasser.de/?p=11

BJ14631

Django_C.R.U.D_1