如果是页面,可以在页面请求之前这么处理下:
HttpSession session=request.getSession();
session.invalidate();Cookie[] cookies=request.getCookies();
if(null!=cookies){
for(int i=0;i<cookies.length;i++){
if(("JSESSIONID").equalsIgnoreCase(cookies[i].getName())){
cookies[i].setMaxAge(0);
response.addCookie(cookies[i]);
}
}
}
session = request.getSession(true);
如果是spring-security
在登录入口处,这么处理一下
changeNewSession(request);//更换session,处理会话表示未更新的漏洞
private void changeNewSession(HttpServletRequest request){
if (request.getSession() != null) {
//--------复制 session到临时变量
HttpSession session = request.getSession();
HashMap<String,Object> old = new HashMap<String,Object>();
Enumeration keys = (Enumeration) session.getAttributeNames();
while (keys.hasMoreElements()){
String key = (String) keys.nextElement();
old.put(key, session.getAttribute(key));
session.removeAttribute(key);
}
session.invalidate();
session=request.getSession(true);
//-----------------复制session
for (Iterator it = old.entrySet().iterator(); it.hasNext();) {
Map.Entry entry = (Entry) it.next();
session.setAttribute((String) entry.getKey(), entry.getValue());
}
}
}