我在本地测试,http://127.0.0.1:8080/freee/page/index.jsp
用firefox的调试功能(请求头信息)查看cookie:
如下:JSESSIONID=11A1F1F0B28A5C11F7CD4B4D2850138F
而我在email.163.com登录之后(http://g4a36.mail.163.com/js3/main.jsp?sid=mAvCdXGKjEryNEViraKKtfhbOjZXRCji)(请求头信息)
的cookie:
如下:
Province=020; City=020; logType=-1; nts_mail_user=15217301011:-1:1; [email protected]|1300161363|0|mail163|11&17|gud&1300160277&mail163#gud&440100#10|152011&1; MAIL163_SSN=javaweb; USERTRACK=183.1.233.219.1300159070180478; ntes_mail_firstpage=normal; NTES_SESS=vGDH4F6TT5sMWIRtJuZCwkR.wjHrfAWF7XiG.X4_lyNJO_z6kZeslJRMZcs8j0728i_oUGedEHvHudxCKMeuapcpnNniIhzY8RF5kXKmJjvDU8yJbUgp0TxOLMnBPGDWUCLnx9MRHSd0xusZLJmrW.irU; S_INFO=1300161363|0|3&100##; Coremail=1300160277890%vBaZyCdrBAUmSkIygcrrkQgLkXgcLIZt%g2a79.mail.163.com; ntes_misc=0|59.174.77.170; cm_last_info=dT1tbjk2MG1uJTQwMTYzLmNvbSZkPWh0dHAlM0ElMkYlMkZnMmE3OS5tYWlsLjE2My5jb20lMkZqczMlMkZtYWluLmpzcCUzRnNpZCUzRHZCYVp5Q2RyQkFVbVNrSXlnY3Jya1FnTGtYZ2NMSVp0JnM9dkJhWnlDZHJCQVVtU2tJeWdjcnJrUWdMa1hnY0xJWnQmaD1odHRwJTNBJTJGJTJGZzJhNzkubWFpbC4xNjMuY29tJTJGanMzJTJGbWFpbi5qc3AlM0ZzaWQlM0R2QmFaeUNkckJBVW1Ta0l5Z2NycmtRZ0xrWGdjTEladCZ3PWcyYTc5Lm1haWwuMTYzLmNvbSZsPS0xJnQ9LTEmdj0w; Coremail.sid=vBaZyCdrBAUmSkIygcrrkQgLkXgcLIZt; mail_style=js35; [email protected]; mail_host=g2a79.mail.163.com; MAIL_SESS=Is59Gt19p8S1lSSvtr._2M__hzwEPme0vH8JOHBMrw_zeMp1Rj2GrzAxjZG5of3058MuDJ2.XTITg.9Vqx2gdCZC4_48QKpS5AEbRHqazoIhD5wzsDPCfY9eix4ktJhNDVi49lxATv.f9gGjizacNO8cD; mail_pos=152_0
很显然,没有JSESSIONID我们知道:一旦有JSESSIONID,就很不安全。(大家可以自行查看 firefox 的 请求头信息 )请问如何做到如何在客户端(在 请求头信息 里隐藏)隐藏JSESSIONID
用firefox的调试功能(请求头信息)查看cookie:
如下:JSESSIONID=11A1F1F0B28A5C11F7CD4B4D2850138F
而我在email.163.com登录之后(http://g4a36.mail.163.com/js3/main.jsp?sid=mAvCdXGKjEryNEViraKKtfhbOjZXRCji)(请求头信息)
的cookie:
如下:
Province=020; City=020; logType=-1; nts_mail_user=15217301011:-1:1; [email protected]|1300161363|0|mail163|11&17|gud&1300160277&mail163#gud&440100#10|152011&1; MAIL163_SSN=javaweb; USERTRACK=183.1.233.219.1300159070180478; ntes_mail_firstpage=normal; NTES_SESS=vGDH4F6TT5sMWIRtJuZCwkR.wjHrfAWF7XiG.X4_lyNJO_z6kZeslJRMZcs8j0728i_oUGedEHvHudxCKMeuapcpnNniIhzY8RF5kXKmJjvDU8yJbUgp0TxOLMnBPGDWUCLnx9MRHSd0xusZLJmrW.irU; S_INFO=1300161363|0|3&100##; Coremail=1300160277890%vBaZyCdrBAUmSkIygcrrkQgLkXgcLIZt%g2a79.mail.163.com; ntes_misc=0|59.174.77.170; cm_last_info=dT1tbjk2MG1uJTQwMTYzLmNvbSZkPWh0dHAlM0ElMkYlMkZnMmE3OS5tYWlsLjE2My5jb20lMkZqczMlMkZtYWluLmpzcCUzRnNpZCUzRHZCYVp5Q2RyQkFVbVNrSXlnY3Jya1FnTGtYZ2NMSVp0JnM9dkJhWnlDZHJCQVVtU2tJeWdjcnJrUWdMa1hnY0xJWnQmaD1odHRwJTNBJTJGJTJGZzJhNzkubWFpbC4xNjMuY29tJTJGanMzJTJGbWFpbi5qc3AlM0ZzaWQlM0R2QmFaeUNkckJBVW1Ta0l5Z2NycmtRZ0xrWGdjTEladCZ3PWcyYTc5Lm1haWwuMTYzLmNvbSZsPS0xJnQ9LTEmdj0w; Coremail.sid=vBaZyCdrBAUmSkIygcrrkQgLkXgcLIZt; mail_style=js35; [email protected]; mail_host=g2a79.mail.163.com; MAIL_SESS=Is59Gt19p8S1lSSvtr._2M__hzwEPme0vH8JOHBMrw_zeMp1Rj2GrzAxjZG5of3058MuDJ2.XTITg.9Vqx2gdCZC4_48QKpS5AEbRHqazoIhD5wzsDPCfY9eix4ktJhNDVi49lxATv.f9gGjizacNO8cD; mail_pos=152_0
很显然,没有JSESSIONID我们知道:一旦有JSESSIONID,就很不安全。(大家可以自行查看 firefox 的 请求头信息 )请问如何做到如何在客户端(在 请求头信息 里隐藏)隐藏JSESSIONID
解决方案 »
- Struts2.1.8和struts2-json-plugin的问题
- 提几个简单的j2ee环境问题,送分题
- 五一怎么过了……
- 用SAXReader读xml文件的问题
- Java jsoup 取得html中的table里的内容
- spring能不能在非web 容器下被启动?网上都是在tomcat启动时被启动的文章
- lucene如何实现只查询全匹配以及排除全匹配查询
- 在线急等关于JMS编译出错问题javax.naming.CommunicationException
- 请教高人~
- 关于socket问题,请给一点建议。(50分)
- java中如何比较时间段
- 请问Spring的Ioc到底是怎么回事呢?能举例说明下吗?实战中是怎么应用的?
Tomcat 甚至扩展 StandardManager 还可以把 Session ID 的生成算法给改掉
在web.xml中配置:
<session-config>
<cookie-config>
<name>HACKSESSIONID</name>
</cookie-config>
</session-config>第二写监听器:package com.weblistener;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionCookieConfig;
public class SessionCookieListener implements ServletContextListener
{ public void contextDestroyed(ServletContextEvent arg0)
{
} public void contextInitialized(ServletContextEvent contextEvent)
{
SessionCookieConfig scc = contextEvent.getServletContext().getSessionCookieConfig();
scc.setName("hackSessionid");
}}web.xml
<listener>
<listener-class>com.weblistener.SessionCookieListener</listener-class>
</listener>
中更改cookie的名称