/** * Called to extract the existing attributes from the session, prior to invalidating it. If * {@code migrateAttributes} is set to {@code false}, only Spring Security attributes will be retained. * All application attributes will be discarded. * <p> * You can override this method to control exactly what is transferred to the new session. * * @param session the session from which the attributes should be extracted * @return the map of session attributes which should be transferred to the new session */protected Map<String, Object> extractAttributes(HttpSession session) { return createMigratedAttributeMap(session); } final HttpSession applySessionFixation(HttpServletRequest request) { HttpSession session = request.getSession(); String originalSessionId = session.getId(); Map<String, Object> attributesToMigrate = extractAttributes(session); session.invalidate(); session = request.getSession(true); // we now have a new session transferAttributes(attributesToMigrate, session); return session; }
注意: session = request.getSession(true); // we now have a new session
Returns the current HttpSession associated with this request or,
if if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.
To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.
Parameters:true - to create a new session for this request if necessary; false to return null if there's no current session
Returns: the HttpSession associated with this request or null if create is false and the request has no valid session.
