如何关闭shiro Rememberme持久化登录功能

img


对于shiro rememberMe 反序列化漏洞
1、已经升级到最新的版本1.9.1
2、但应该如何关闭RememberMe持久化登录呢?
Response 中 header里也有 rememberMe = deleteMe,是否可以去掉?

有 rememberMe = deleteMe就行了,说明这个功能你已经禁用的,这个漏洞可以使用自定义加密解决,

/**
     * cookie对象;
     */
    @Bean
    public SimpleCookie rememberMeCookie() {
        //这个参数是cookie的名称,对应前端的checkbox的name = rememberMe
        SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
        //cookie生效时间30天,单位秒;
        simpleCookie.setMaxAge(2592000);
        return simpleCookie;
    }
 @Bean
    public CookieRememberMeManager rememberMeManager() {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        cookieRememberMeManager.setCookie(rememberMeCookie());
        cookieRememberMeManager.setCipherKey(createCipherKey());
        return cookieRememberMeManager;
    }
public byte[] createCipherKey() {
        KeyGenerator keyGenerator;
        try {
            keyGenerator = KeyGenerator.getInstance("AES");
        } catch (Exception e) {
            throw new DscException(ErrorCodeEnum.UNKNOWN_EXCEPTION, "Init AES key error!");
        }
        keyGenerator.init(128);
        SecretKey secretKey = keyGenerator.generateKey();
        return secretKey.getEncoded();
    }