我需要更改会话ID以阻止session fixation。
我使用以下方法更改会话(like this):
public class LoginSupport extends ActionSupport {
public void prepare() {
final HttpServletRequest request = ServletActionContext.getRequest();
request.getSession().invalidate();
// generate new session (and id)
final HttpSession newSession = request.getSession();
}
}
但是,Struts2在调用上述操作后抛出了以下异常:
java.lang.IllegalStateException: getAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1011)
at org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionFacade.java:109)
at org.apache.struts2.dispatcher.SessionMap.get(SessionMap.java:161)
显然,它仍在尝试访问上一个会话的属性映射。我如何让Struts2知道它应该刷新其内部会话映射?