In Java EE, the Web container generates two different session objects for different requests for HTTPS and HTTP, so if only some of the pages in the same web app use SSL, To ensure that the use of SSL-based pages to switch between pages that do not use SSL (that is, the switch between HTTPS requests and HTTP requests) is continuous, you can do so by passing sessionid in the URL that you access. In other words, a sessionid is bound to the URL that enters or exits HTTPS, such as when switching from HTTP to HTTPS, the URL is: https://xxx/login.do;jsessionid=<%=session.getId ()% The switch from HTTPS to HTTP is: Http://xxx/xxx.do;jsessionid=<%=session.getId ()%>. This way the Web container will take precedence over this sessionid to get the session object, instead of generating a new SessionID, you can guarantee that the session will not change during HTTP and HTTPS switching (this method is validated on Tomcat).
Because the SessionID binding on the URL is easy to be stolen, in order to ensure that the session is not robbed, session authentication needs to be combined with the client IP, that is, when the user login successfully, through Session.setattribute ("ClientIP", REQUEST.GETREMOTEADDR ()) Saves the IP address of the client, and must determine whether the client's IP is the client IP that was originally stored in the ClientIP property of the Session object, and if not the session is an illegal session, in the legitimacy of the subsequent authentication session.
HTTP jumps directly to HTTPS, redirect it. Using PHP is easier:
When you access HTTP, skip https:
"on") {$xredir = ' https://'. $_server["SERVER_NAME"].$_server["Request_uri"];header ("Location:". $xredir);}? >
When you access HTTPS, skip http:
Include the above code at the beginning of the page.
http://www.bkjia.com/PHPjc/752426.html www.bkjia.com true http://www.bkjia.com/PHPjc/752426.html techarticle in Java EE, the Web container generates two different session objects for different requests for HTTPS and HTTP, so if only some of the pages in the same web app use SSL, make sure to use ...