jsessionid问题解决方案

bigdatafish 2016-11-24 17:31

jessionid会话盗用漏洞，现在是两种方案：

1. 方案一：用户IP和用户会话绑定，目前F5代理后获取不到真实机器的IP ，

2.方案二：判断jessionid来源，如果来源URL，就做403界面重定下，拒绝访问，目前方案一获取不到IP地址，只能用方案测试。

代码如下：

package com.tydic.dbp.util;

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.http.HttpSession;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

public class AuthFilter implements Filter {

private static final Logger LOGGER = LoggerFactory

.getLogger(AuthFilter.class);

public void destroy() {

}

public void doFilter(ServletRequest servletRequest,

ServletResponse servletResponse, FilterChain chain)

throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) servletRequest;

HttpServletResponse response = (HttpServletResponse) servletResponse;

String uri = request.getRequestURI();

String url = request.getRequestURL().toString();

HttpSession session = request.getSession();

String ip = IpUtils.getIpAddr(request);

Object user = session.getAttribute("tydic.dbp.user");

Object sessionIP = session.getAttribute("ip");

// SSO 放行资源是获取不到SESSION信息的，注意

String[] six = { ".swf", ".js", ".css", ".gif", ".png", ".jpg",

"/service", "dbp.jsp" };

for (String key : six) {

if (uri.indexOf(key) > -1) {

chain.doFilter(servletRequest, servletResponse);

return;

}

}

// System.out.println("************uri" + uri);

// System.out.println("************url: " + url);

// System.out.println("************user" + user);

if (request.isRequestedSessionIdFromURL()) {

response.sendRedirect("http://134.64.106.187:8000/portal/webpoint/main/403.jsp");

return;

/*if (session != null) {

session.invalidate();

}*/

}

LOGGER.info("************sessionIp: " + sessionIP);

LOGGER.info("************clinetIp: " + ip);

if ((user == null) || (sessionIP == null) || (!(ip.equals(sessionIP)))) {

LOGGER.info(" ***************** error sendRedirect ");

response.sendRedirect("http://154.64.116.187:8000/portal/webpoint/main/403.jsp");

return;

} else {

chain.doFilter(servletRequest, servletResponse);

return ;

}

}

public void init(FilterConfig filterConfig) throws ServletException {

}