登陆验证前更新session 会话标识未更新

会话标识未更新
严重性： 中
CVSS 分数： 6.4
URL： http://127.0.0.1/test/j_unieap_security_check.do
实体： j_unieap_security_check.do (Page)
风险： 可能会窃取或操纵客户会话和 cookie，它们可能用于模仿合法用户，从而使黑客能够以该用户身份查看或变更用户记录以及执行事务
原因： Web 应用程序编程或配置不安全
固定值： 登录之后更改会话标识符值
推理： 测试结果似乎指示存在脆弱性，因为“原始请求”和“响应”中的会话标识相同。这些标志应该已在响
应中更新。

登陆验证前更新session

package com.neusoft.education.mepec.filter;

import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.neusoft.unieap.config.SystemConfig;

public class NewSessionFilter implements Filter {
    
    private Log log = LogFactory.getLog(SystemConfig.logCatagroy);
    
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (request instanceof HttpServletRequest) {
            HttpServletRequest httpRequest = (HttpServletRequest) request;
            if (httpRequest.getSession() != null) {
                log.debug("old Session:" + httpRequest.getSession().getId());
                HttpSession session = httpRequest.getSession();
                HashMap old = new HashMap();
                Enumeration keys = session.getAttributeNames();
                while (keys.hasMoreElements()) {
                    String key = (String) keys.nextElement();
                    old.put(key, session.getAttribute(key));
                    session.removeAttribute(key);
                }
                
                if (!httpRequest.getSession().isNew()){
                    session.invalidate();
                    session = httpRequest.getSession(true);
                    log.debug("new Session:" + session.getId());
                }

                for (Iterator> it = old.entrySet().iterator(); it.hasNext();) {
                    Map.Entry entry = (Map.Entry) it.next();
                    session.setAttribute((String) entry.getKey(), entry.getValue());
                }
            }
        }
        chain.doFilter(request, response);
    }
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        System.out.println("NewSessionFilter init");
    }

    @Override
    public void destroy() {

    }
    
    public NewSessionFilter() {
        System.out.println("NewSessionFilter");
    }

}