Ssm project session usage and scope issues, ssm project session
In the past two days, because I used ajax to initiate asynchronous update requests on the front end, I found that ajax would expose the back-end interface address. This problem cannot be avoided, because the front end is in plain text. Poor, so in the Baidu, Google, and QQ groups all kinds of queries to raise various questions, they all say that they can only solve the problem through security verification. The first choice for a newbie is session, of course, there are also token verification and shrio framework on the Internet. If you are interested, you can search for tutorials online.
Session is a cache mechanism for servers to verify whether users have logged on. I wrote what I learned, so that new users can do less to bend the road and directly go to the Code ~
First, you must add HttpServletRequest request
Request to obtain the session carried by the request
2. Set the session in the logon interface code,HttpSession session = request.getSession(true);
// This statement is used to obtain the session. true indicates that a new session is created if no session exists.
session.setAttribute("logined","success");
// This statement is written as an identifier. You can also set the Logon account in the session to prevent malicious tampering with the information of another account when initiating a modification request.
Third, how to verify the interface? The request with the HttpServletRequest request parameter is also required to obtain the session carried by the client to initiate an http request,HttpSession session = request.getSession(); session.getAttribute("logined")
Read whether the key "logined" exists. If it does not indicate that the key has not been logged on, the request content is not provided, and a message is directly returned to remind the user to log on.
Ssm project session scope issues
Description:After logging on to the system, the user puts the user's related information into a session domain for convenient calling and the name is xx,
After a user logs on to the system, he/she needs to modify his/her personal information. After the modification, the user's personal information modified on the foreground page is re-inserted into this session domain to overwrite the previous session, in this way, when you log on again or view it, it is the modified information.
Analysis:After changing the personal information, the user wants to modify the personal login password (changing the personal information is not on the same page as changing the personal password). Then, the user will prompt that the entered old password is incorrect, because there is no personal password when changing personal information, that is, when the user changes his information into the session, the personal password is encapsulated into a null value, in this case, the real password for user logon is not obtained.
Solution:If you want to modify your personal information, you must add a hidden domain of your password on the Personal Information Modification page. In this way, the personal login password will also be encapsulated into the object with the user's modified information, Bei = is inserted into the session domain, so that you can call the internal push in the session domain when changing the password, the password will not be blank.
The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.