¡Ü ¿ø¹®
¡Û Áú¹®
I have created a web app that uses Spring Security (3.2) login prompt.
I run the app in Tomcat 7. I use the Tomcat manager to monitor sessions.
It is a Vaadin app, using a Vaadin servlet. No JSP pages are used.
Now...
1. I have a freshly started Tomcat with a freshly deployed .war.
2. I open a web browser and enter the url for the app and press enter which lands me on the login page of said app.
3. I can see in the Tomcat manager that 1 session has been created. Note that I haven't even tried logging in yet.
4. I close the app browser tab and the browser itself and re-open it (ie. effectively deleting any sessions data) and enter the url again and press enter.
5. I can see in the Tomcat manager that yet another session has been created. There is now a total of 2 sessions. Note that I still haven't even tried logging in.
Is this intended behaviour (prevention of some kind of session fixation attack) or have I simply configured something wrong?
¡Û ´äº¯
The short version is that login processes that use a login page need to create session to store the target page.
The longer version is that the login process (assuming successful authentication) will be something along these lines:
01. User agent requests /some/secure/page
02. Container checks for authenticated user
03. User not authenticated so container starts login process
04. Container creates a session
05. Container adds target page URL (/some/secure/page) to session
06. Container redirects user to login page
07. User logs in
08. Container validates credentials
09. Container changes ID of session (to prevent session fixation)
10. Container gets target page URL from session
11. Container redirects user to target page
12. User agent requests target page
13. Container checks for authenticated user
14. User is authenticated so container displays requested page
Without the session the container has no way to track which (of the potentially many) pages
requiring authentication the user asked for and therefore no way to redirect them to the requested page
after authentication completes.
¡Ü ¹ø¿ª
¡Û Áú¹® ¿ä¾à
»ç¿ëÀÚ°¡ ·Î±×ÀÎÀ» ½Ãµµ Á¶Â÷ ÇÏÁö ¾Ê¾Ò´Âµ¥ ¿Ö ¼¼¼ÇÀÌ »ý±âÁÒ?
- ºê¶ó¿ìÀú¸¦ ´Ý°í ´Ù½Ã ¿¸é ¼¼¼ÇÀÌ 1°³ ´õ »ý°Ü ÃÑ 2°³°¡ µË´Ï´Ù.
¡Û ´äº¯
·Î±×ÀÎ ÇÁ·Î¼¼½º¿¡ °üÇØ °£´ÜÇÏ°Ô ¼³¸íÇϸé,
·Î±×ÀÎ ÆäÀÌÁö´Â ¸ñÀûÁö ÆäÀÌÁö(target page)¸¦ ÀúÀåÇϱâ À§ÇØ ¼¼¼Ç »ý¼ºÀ» ÇÊ¿ä·Î ÇÕ´Ï´Ù.
·Î±×ÀÎ ÇÁ·Î¼¼½º¿¡ °üÇØ ±æ°Ô ¼³¸íÇÏÀÚ¸é... (ÀÎÁõ¿¡ ¼º°øÇÑ´Ù´Â ÀüÁ¦ÇÏ¿¡)
¾Æ·¡¿Í °°Àº ÀÛ¾÷µéÀÌ ÀϾ°Ô µË´Ï´Ù.
01. À¯Àú ¿¡ÀÌÀüÆ®°¡ /some/secure/page Á¢±ÙÀ» ¿äûÇÕ´Ï´Ù.
02. ÄÁÅ×À̳ʰ¡ ÀÎÁõ(authenticated)µÈ »ç¿ëÀÚ ÀÎÁö üũ ÇÕ´Ï´Ù.
03. »ç¿ëÀÚ°¡ ÀÎÁõµÇÁö ¾Ê¾Ò±â ¶§¹®¿¡ ÄÁÅ×À̳ʴ ·Î±×ÀÎ ÇÁ·Î¼¼½º¸¦ ½ÃÀÛÇÕ´Ï´Ù.
04. ÄÁÅ×À̳ʰ¡ ¼¼¼ÇÀ» »ý¼ºÇÕ´Ï´Ù.
05. ÄÁÅ×À̳ʴ ¼¼¼Ç¿¡ ¸ñÀûÁö URL(/some/secure/page)À» Ãß°¡ÇÕ´Ï´Ù.
06. ÄÁÅ×À̳ʴ »ç¿ëÀÚ¸¦ ·Î±×ÀÎ ÆäÀÌÁö·Î º¸³À´Ï´Ù(redirects).
07. »ç¿ëÀÚ°¡ ·Î±×ÀÎ ÇÕ´Ï´Ù.
08. ÄÁÅ×À̳ʰ¡ ÀÚ°Ý(credentials)À» °ËÁõ ÇÕ´Ï´Ù.
09. ÄÁÅ×À̳ʴ ¼¼¼ÇID ¸¦ º¯°æÇÕ´Ï´Ù. (to prevent session fixation)
10. ÄÁÅ×À̳ʰ¡ ¼¼¼ÇÀ¸·ÎºÎÅÍ ¸ñÀûÁö ÆäÀÌÁö URL À» °¡Á®¿É´Ï´Ù. (/some/secure/page °¡ µÇ°ÚÁÒ?)
11. ÄÁÅ×À̳ʰ¡ »ç¿ëÀÚ¸¦ ¸ñÀûÁö ÆäÀÌÁö·Î º¸³À´Ï´Ù(redirects).
12. À¯Àú ¿¡ÀÌÀüÆ®°¡ ¸ñÀûÁö ÆäÀÌÁö¸¦ ¿äûÇÕ´Ï´Ù.
13. ÄÁÅ×À̳ʰ¡ ÀÎÁõµÈ(authenticated) »ç¿ëÀÚÀÎÁö üũ ÇÕ´Ï´Ù.
14. »ç¿ëÀÚ°¡ ÀÎÁõµÇ¾ú±â ¶§¹®¿¡ ÄÁÅ×À̳ʴ ¿äûÇÑ ÆäÀÌÁö¸¦ º¸¿©ÁÝ´Ï´Ù.
¼¼¼ÇÀÌ ¾øÀ¸¸é ÄÁÅ×À̳ʴ ÀÎÁõµÈ »ç¿ëÀÚ°¡ ¿äûÇÑ ÆäÀÌÁöµéÀ» ÃßÀûÇÒ ±æÀÌ ¾ø¾îÁö°Ô µË´Ï´Ù.
(¼¼¼Ç¿¡ ¸ñÀûÁö URL ÀÌ add µÇ°í get µÇ°Ô µÇ¹Ç·Î)
µû¶ó¼ »ç¿ëÀÚ°¡ ÀÎÁõÀ» ¸¶Ä£ ÈÄ redirect ÇÒ ¹æ¹ýÀÌ ¾ø°Ô µË´Ï´Ù.
|
