Session hijacking prevention in ZK
https://stackoverflow.com/questions/4510639
-
12-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am extremely new to the web-development scene, but I was wondering: Does anybody know what mechanisms does the ZK framework use in order to prevent session hijacking?
Solution
If you use ZK and ZK Spring Security, it will handle this transparently for you.
The mechanism is straightforward. After end user login, a new session is created and all attributes in the old session are copied over to the new one(to keep the state). Then the old session is invalidate and the end user works with the new session since. Because the old session number the "bad guy" had already invalidated, no way for the "bad buy" to hijack the session.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
