In order to close and invalidate the session on the server side, it is mandatory for the web application to take active actions when the session expires, or the user actively logs out, by using the functions and methods offered by the session management mechanisms, such as HttpSession.invalidate() (J2EE), Session.Abandon() (ASP .NET) or session_destroy()/unset() (PHP). 1.3 session 固定攻击保护 .
In session-management namespace, there is an attribute session-fixation-protection that will handle session fixation. 除外パスの指定 ¶ The redirect can be made with the same session id or with a new one. (invalid-session-url 이 있을경우 invalid-session-url 로 이동)) 만약 두번째 인증을 거부하게 하고 싶은 경우 concurrency-control에 error-if-maximum-exceeded="true"속성을 지정하면 된다. Spring security session配置中如果配了如下的invalid-session-url,配置了permitAll链接首次链接系统时会跳转到登录页,将该配置删除即可解决此问题。java 1.2 concurrency-control. < sec: session-management invalid-session-url = " /error/invalidSession " /> 上記のように invalid-session-url を設定した場合は、セッションが不当な場合に指定 URL へ遷移する。
The value of this field can be set as invalid-session-url attribute of tag. 1.1 检测session超时. This is achieved through the session-management element: これは、 session-management 要素を通じて実現できます。. . ... . Spring security provides the attributes to avoid the session fixation. Spring Security通过http元素下的子元素session-management提供了对Http Session管理的支持。 When the session is invalid, this class will make redirect request to page specified in private final String destinationUrl field. Note that if you use this mechanism to detect session timeouts, it may falsely report an error if the user logs out and then logs back in without closing the browser. 要素の invalid-session-url 属性に、無効なセッションを使ったリクエストを検知した際のリダイレクト先のパスを指定する。 6.5.2.5.3.