我提出以下要求:
http://qwerty.localhost:82/Server/chat/connect;8O8488WlWWgNzAkGCFYAZyj3Bn91CR=05493D28DDD97308D66DAAC3DD66EAC2
左右:
http://qwerty.localhost:82/Server/chat/connect/;8O8488WlWWgNzAkGCFYAZyj3Bn91CR=05493D28DDD97308D66DAAC3DD66EAC2
在这种情况下,会话ID(8O8488WlWWgNzAkGCFYAZyj3Bn91CR)在cookie和url中都被传递(因此对于安全森林来说,必须突然不会传送厨师)。出于某种原因,正在创建一个新会话。为什么会这样?做错了什么?可以不记得......
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<session-config>
<cookie-config>
<name>8O8488WlWWgNzAkGCFYAZyj3Bn91CR</name>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>URL</tracking-mode>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
</web-app>
答案 0 :(得分:0)
如果始终为每个请求创建新会话,则表示客户端已禁用Cookie且URL重写无法正常工作。 如果您对URL进行编码,则Container将首先尝试使用cookie进行会话管理,并且仅在cookie方法失败时才回退到URL重写。
尝试这种方式:
HttpSession session = request.getSession(false); //传递“false”表示该方法返回预先存在的会话,如果没有与该客户端关联的会话,则返回null。
并且对于URL重写,请使用response.encodeURL()
答案 1 :(得分:0)
好的,作为示例和概念证明,我创建了工作样本
的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<session-config>
<cookie-config>
<name>8O8488WlWWgNzAkGCFYAZyj3Bn91CR</name>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>URL</tracking-mode>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<servlet>
<servlet-name>Test</servlet-name>
<servlet-class>org.company.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Test</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
的servlet
package org.company;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
public class TestServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
HttpSession session = req.getSession(true);
resp.getWriter().printf(session.getId()+ " isNew:" + session.isNew());
}
}
构建脚本:
group 'org.company'
version '1.0-SNAPSHOT'
apply plugin: 'java'
apply plugin: 'war'
sourceCompatibility = 1.8
war{
archiveName = 'ROOT.war'
}
repositories {
mavenCentral()
}
dependencies {
providedCompile group: 'javax.servlet', name: 'javax.servlet-api', version:'3.1.0'
}
在tomcat中部署战争后:
没有Cookie的请求页
GET http://localhost:8080/
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
响应:
Content-Length: 48
Date: Mon, 12 Feb 2018 12:32:08 GMT
Set-Cookie: 8O8488WlWWgNzAkGCFYAZyj3Bn91CR=AD5F8B47BB0CEC1A08D8887FB82384BD.tc00;path=/;HttpOnly
页面显示AD5F8B47BB0CEC1A08D8887FB82384BD.tc00 isNew:true
如果您打开新浏览器(或进入隐身模式)并请求包含Cookie的页面:
GET http://localhost:8080/;8O8488WlWWgNzAkGCFYAZyj3Bn91CR=AD5F8B47BB0CEC1A08D8887FB82384BD.tc00
你会得到回报
AD5F8B47BB0CEC1A08D8887FB82384BD.tc00 isNew:false
标题
Content-Length: 49
Date: Mon, 12 Feb 2018 12:37:38 GMT
但如果您更改该值,例如
GET http://localhost:8080/;8O8488WlWWgNzAkGCFYAZyj3Bn91CR=AD5F8B47BB0CEC1A08D8887FB82384BD.tc01
比你得到新的会话2061CBA151CE2148687B2BF48807253F.tc00 isNew:true 和服务器将返回set-cookie标头
Content-Length: 48
Date: Mon, 12 Feb 2018 12:38:42 GMT
Set-Cookie: 8O8488WlWWgNzAkGCFYAZyj3Bn91CR=2061CBA151CE2148687B2BF48807253F.tc00;path=/;HttpOnly
一切都按预期工作,所以问题与程序的不同部分有关。