Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am extremely new to the web-development scene, but I was wondering: Does anybody know what mechanisms does the ZK framework use in order to prevent session hijacking?
If you use ZK and ZK Spring Security, it will handle this transparently for you.
The mechanism is straightforward. After end user login, a new session is created and all attributes in the old session are copied over to the new one(to keep the state). Then the old session is invalidate and the end user works with the new session since. Because the old session number the “bad guy” had already invalidated, no way for the “bad buy” to hijack the session.