IBM appcsan扫描安全漏洞--会话标识未更新

appcsan修订建议:

始终生成新的会话，供用户成功认证时登录。 防止用户操纵会话标识。 请勿接受用户浏览器登录时所提供的会话标识

在登录验证成功之后调用下面方法

@SuppressWarnings("unchecked")    private void createNewSession(HttpServletRequest request, HttpServletResponse response) throws Exception {        HttpSession oldSession = request.getSession();        // get the content of old session.        Enumeration
     
       attributeNames = oldSession.getAttributeNames();        Map
      
        attributeMap = new HashMap
       
        ();        while(attributeNames != null && attributeNames.hasMoreElements()){            String attributeName = attributeNames.nextElement();            attributeMap.put(attributeName, oldSession.getAttribute(attributeName));        }        oldSession.invalidate();        HttpSession newSession = request.getSession(true);        // put the content into the new session.        for (String key : attributeMap.keySet()) {            newSession.setAttribute(key, attributeMap.get(key));        }    }