English 中文(简体)
未登记日期和时间
原标题:logout date and time without login

实际上,我有一个严重问题:我看到有人从japan进入我的网站,而我没有向未经许可的用户提供任何标识和密码。 我只向经认证的用户发送了专用用户和密码,而且 i 正在跟踪记录、记录时间、记录和记录。 但是,我发现,在我的数据库中,没有标识时间、博客使用、标识IP地址,但是有标志性时间,在我的数据库中,计分辨率IP地址在使用无效。 如何能够? 一位来自日本的人在16:20:18时离开了我的现场,他在那里没有gged脚?? 没有伐木的伐木?

Need help from experts Please

My web application is of jsp, servlets,java groups and oracle 10g : I have given the following protection:

 1. CSRF Protection 
 2. SQL Injection protection 
 3. XSS Protection 
 4. No Broken Authentication and session

Very soon i am going to put SSL.

Authentication servlet:

HttpSession session1 = request.getSession(false);
     PrintWriter out = response.getWriter();
      try{
   if(request.getMethod().equalsIgnoreCase("POST")){
String user="";
String timenow="";
String strQuery="";
String today="";
String tour="";
try{
String useridfinal = (String)request.getParameter("userid");
    String userpassfinal = (String)request.getParameter("userpassword");
         Pattern p10 = Pattern.compile("[A-Z0-9a-z]+");// XSS checking
Matcher m10 = p10.matcher(useridfinal);
boolean b10 = m10.matches();
Pattern p11 = Pattern.compile("[A-Z!_,.a-z0-9]+");// XSS checking
Matcher m11 = p11.matcher(userpassfinal);
boolean b11 = m11.matches();
if(useridfinal == null || b10==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
        }
else if(userpassfinal == null || b11==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
else{
try {
  dbconnection db= new dbconnection();
 db.getConnection();
PreparedStatement ps=null;
     PreparedStatement ps2=null;
 ResultSet  rs=null;
ResultSet  rs1=null;
String ipadd="";
     try {
ipadd= request.getRemoteAddr();//tracking IP address
}
catch(Exception e) {
}
               SimpleDateFormat sdfDate = new SimpleDateFormat("dd-MM-yy HH:mm:ss");         
Date now = new Date();
String strDate = sdfDate.format(now);
    if(request.getParameter("userid")!=null &&
        (request.getParameter("userid") == null ? "" != null : !request.getParameter("userid").equals("")) && request.getParameter("userpassword")!=null &&
        (request.getParameter("userpassword") == null ? "" != null : !request.getParameter("userpassword").equals("")))
    {
 if ( session1 != null) {
               session1.invalidate(); }
 session1 = request.getSession(true);
    String s=(String)useridfinal;
       MessageDigest m=MessageDigest.getInstance("MD5");
       m.update(s.getBytes(),0,s.length());
       String encuseridfinal=(new BigInteger(1,m.digest()).toString(16));
      String s1=(String)userpassfinal;
       MessageDigest m1=MessageDigest.getInstance("MD5");
       m1.update(s1.getBytes(),0,s1.length());
       String encuserpassfinal=(new BigInteger(1,m1.digest()).toString(16));
ps= db.con.prepareStatement("select * from login where loginid=? and  loginpass=? ");
ps.setString(1, useridfinal);
ps.setString(2, encuserpassfinal);// encrypted userpassword
     try {
      rs=ps.executeQuery();
       } catch (SQLException ex) { 
        }
      int count=0;
      while(rs.next())
      {
 count++;
try {
  //Initialize SecureRandom
  //This is a lengthy operation, to be done only upon
  //initialization of the application
  SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
  //generate a random number
  String randomNum = new Integer( prng.nextInt() ).toString();
  //get its digest
  MessageDigest sha = MessageDigest.getInstance("SHA-1");
  byte[] result =  sha.digest( randomNum.getBytes() );
String csrf="";

csrf=hexEncode(result);
                try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
tour=strDate1+" "+today;
               try{
           ps2 = db.con.prepareStatement("insert into logindetails (login_id, login_dt, login_ipaddress) values (?, to_date(?,  DD-MM-YY hh24:mi:ss ),?) ");
               }
               catch(Exception e){
               }
ps2.setString(1, useridfinal);
try{
ps2.setString(2, tour);
}
catch(Exception e){}
try{
ps2.setString(3, ipadd);
}
catch(Exception e){}
try {
 rs1=ps2.executeQuery();
}
catch(SQLException ex){
}
 rs1.close();
 ps2.close();
  } 
               catch(Exception e){
               }
         session1.setAttribute("useridfinal", useridfinal);
      session1.setAttribute("csrftoken", csrf); //csrf token generation      
    response.sendRedirect("home.jsp");
  session1.setAttribute("authenticated", true);  
}
catch(Exception e){}
 }
 try{
       rs.close();
       }
       catch(Exception e){}
       try{
       ps.close();
       }
       catch(Exception e){}
     try{
    db.removeConnection();
     }
 catch(Exception e){}
      if(count==0)
      {
 session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
 response.sendRedirect("login.jsp");
      }
    }
    else {   
 session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
 response.sendRedirect("login.jsp");
}
  } catch (Exception e) {
  }
 }
} catch (Exception e) {
      out.println("please try later");
  }
   }
else{
response.sendRedirect("login.jsp");
}
    } catch (Exception e) {
   response.sendRedirect("login.jsp");
   }
processRequest(request, response);
}
function() {// For generating secure token
return token;
}

Signout Code

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>JSP Page</title>
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META NAME="ROBOTS" CONTENT="NONE"> 
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">
</head>
<body>
     <%
String user="";
HttpSession session1 = request.getSession(false);
if(session1.getAttribute("useridfinal")!=null &&
session1.getAttribute("useridfinal")!="")
{
user = session1.getAttribute("useridfinal").toString();
}
    String today="";
String tour="";
dbconnection db= new dbconnection();
db.getConnection();
PreparedStatement ps=null;
     PreparedStatement ps2=null;
ResultSet  rs=null;
ResultSet  rs1=null;
try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
String useripadd="";
try {
useripadd= request.getRemoteAddr();
}
catch(Exception e) {
}
 tour=strDate1+" "+today;
               try{
           ps2 = db.con.prepareStatement("insert into logindetails 
(loginid,logoutdt,logoutipaddress) values (?,to_date(?,  DD-MM-YY hh24:mi:ss ),?)");
               }
               catch(Exception e){
               }
ps2.setString(1, user);
try{
ps2.setString(2, tour);
}
catch(Exception e){          }
ps2.setString(3, useripadd);
try {
 rs1=ps2.executeQuery();
}
catch(SQLException ex){
out.println(ex);
}
 rs1.close();
 ps2.close();
db.removeConnection();
 }
               catch(Exception e){
               }
       String csrf="";
request.getSession(false).removeAttribute("useridfinal");
request.getSession(false).removeAttribute("csrftoken");
response.setHeader("Pragma","no-cache"); 
response.setHeader("Cache-Control","no-store"); 
response.setHeader("Expires","0"); 
response.setDateHeader("Expires",-1); 
session1.invalidate();
response.sendRedirect("login.jsp");
%>
</body>

从IP地址看,我知道该地点是japan。 我不知道情况如何。 是否有任何帮助?

最佳回答

http://your.host.com/app ,并将您的日志称为日志。 如果我只使用我的浏览器和类型。 在座标栏和点击条目中,你在数据库中有一个没有标识的标志。 无需打碎任何东西。

另一种可能性是,由于你基本上忽视了出现的任何例外,日志已经成功,但输入数据库的工作却失败。 这当然是这样,因为将标识列入数据库,你使用<代码>execute Query。 而不是使用<代码>executeUpdate。

你的法典确实是可怕的。 你们应当学习常态守则,正确使用JDBC,正确处理例外情况,使用交易而不是自动交易,最后定点使用近结果、声明和联系。 共同财产计划中的 Java法典实际上很坏。

阅读指南和NEVER do submissions(Exception){

时间:2012-01-13 10:59:13
问题回答

It may be possible that the they may have used proxy for the login-logout and the user will be of your known person only and he may have access to your database and he want to do something wrong with your system so he login and done something wrong. And after that he may have removed his accesstime details.

时间:2012-01-13 08:52:49


上一篇:
下一篇:


相关问题
Spring Properties File

Hi have this j2ee web application developed using spring framework. I have a problem with rendering mnessages in nihongo characters from the properties file. I tried converting the file to ascii using ...

时间:2009-11-13 05:05:41 回答:3 展示:1
Logging a global ID in multiple components

I have a system which contains multiple applications connected together using JMS and Spring Integration. Messages get sent along a chain of applications. [App A] -> [App B] -> [App C] We set a ...

时间:2009-11-09 14:50:12 回答:4 展示:1
Java Library Size

If I m given two Java Libraries in Jar format, 1 having no bells and whistles, and the other having lots of them that will mostly go unused.... my question is: How will the larger, mostly unused ...

时间:2009-11-09 14:44:57 回答:2 展示:1
How to get the Array Class for a given Class in Java?

I have a Class variable that holds a certain type and I need to get a variable that holds the corresponding array class. The best I could come up with is this: Class arrayOfFooClass = java.lang....

时间:2009-11-05 09:41:59 回答:5 展示:1
SQLite , Derby vs file system

I m working on a Java desktop application that reads and writes from/to different files. I think a better solution would be to replace the file system by a SQLite database. How hard is it to migrate ...

时间:2009-11-05 09:26:46 回答:3 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全