{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 劳资没心,怎么记你 的问题《Session Hijacking Prevention in Java (Struts 2.0)》','https://www.manongdao.com/q-1106169.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm developing an application in Java which seems to have a session hijacking vulnerability.
In order to prevent this, the recommendation is to change the JSESSION ID for a user after log in
My application is based on Struts 2.0 and Tomcat 7 and I have implemented a code to change the JSESSIONID after the user logs in.
However i am facing the following problem while running the code.
java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
at org.apache.catalina.session.StandardSessionFacade.setAttribute (StandardSessionFacade.java:130)
at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)
Here is the code that i wrote :
HttpSession httpSession = ServletActionContext.getRequest().getSession();
HashMap<String, Object> attributes = new HashMap<String, Object>();
Enumeration<String> enames = httpSession.getAttributeNames();
while ( enames.hasMoreElements() )
{
String name = enames.nextElement();
if ( !name.equals( "JSESSIONID" ) )
{
attributes.put( name, httpSession .getAttribute( name ) );
}
}
httpSession.invalidate();
httpSession = request.getSession(true);
for ( Map.Entry<String, Object> et : attributes.entrySet() )
{
userInfoMap.put( et.getKey(), et.getValue() );
}
getSession().put("userid",userId);//Setting value to session
Usually when you
invalidatethe session you should redirect to some action, so the new session map will injected to it if the action implementSessionAware.But in the code you posted you are trying to reuse the session map while it contains an old session.