1.会话标识未更新:登录页面加入以下代码 request.getSession(true).invalidate();//清空session Cookie cookie = request.getCookies()[0];//获取cookie cookie.setMaxAge(0);//让cookie过期 request.getSession(true).invalidate();//清空session Cookie cookie = request.getCookies()[0];//获取cookie cookie.setMaxAge(0);//让cookie过期 不是很明白session的机制,高手路过可以指教一下。 2.跨站点请求伪造: 在出错的url加参数sessionid。 response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>"); response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>"); 如果带参数报ssl错误,使用下面的post方式传值: response.getWriter().write( "<script language="javascript"> " + "document.write("<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>");" + "document.write("<input type=hidden name=name value='"+sessionId+"'");" + "document.write("</form>");" + "document.formx1.submit();" + "</script>" ); response.getWriter().write( "<script language="javascript"> " + "document.write("<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>");" + "document.write("<input type=hidden name=name value='"+sessionId+"'");" + "document.write("</form>");" + "document.formx1.submit();" + "</script>" ); 3.启用不安全HTTP方法 修改web工程中或者服务器web.xml,增加安全配置信息,禁用不必要HTTP方法 <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config>