会话标识未更新

IBM appcsan扫描安全漏洞--会话标识未更新

appcsan修订建议:

始终生成新的会话，供用户成功认证时登录。 防止用户操纵会话标识。 请勿接受用户浏览器登录时所提供的会话标识

在登录验证成功之后调用下面方法

@SuppressWarnings("unchecked")
    private void createNewSession(HttpServletRequest request, HttpServletResponse response) throws Exception {
        HttpSession oldSession = request.getSession();
        // get the content of old session.
        Enumeration<String> attributeNames = oldSession.getAttributeNames();
        Map<String, Object> attributeMap = new HashMap<String, Object>();
        while(attributeNames != null && attributeNames.hasMoreElements()){
            String attributeName = attributeNames.nextElement();
            attributeMap.put(attributeName, oldSession.getAttribute(attributeName));
        }
        oldSession.invalidate();
        HttpSession newSession = request.getSession(true);
        // put the content into the new session.
        for (String key : attributeMap.keySet()) {
            newSession.setAttribute(key, attributeMap.get(key));
        }
    }