session固定是指服务器在给客户端创建session后,在该session过期之前,它们都将通过该session进行通信。
我们可以在Security配置文件中,通过session-management的session-fixation-protection属性来改变其策略,有三种策略可供选择:
-
migrateSession:这是默认值。其表示在用户登录后将新建一个session,同时将原session中的attribute都copy到新的session中;
Specifies that a new session should be created and the session attributes from the original HttpSession
should be retained.
-
none:不启用session固定保护策略。如果系统中有另外的session保护机制,这个配置可能有用。
Specifies that no session fixation protection should be enabled. This may beuseful when utilizing other mechanisms for protecting against session fixation.For example, if application container session fixation protection is already inuse. Otherwise, this option is not recommended.
-
newSession:表示重新创建一个新的session,但是不copy原session拥有的attribute。
Specifies that a new session should be created, but the session attributes from the original HttpSession
should not be retained.
具体使用那种策略需要根据实际业务需求进行权衡。