在处理同一域内和域内的多个重定向时,看到IE11中的不一致行为(firefox,chrome和safari都按预期工作)。具体来说,当用户尝试访问我们的主应用程序(Web应用程序套件的登陆应用程序)时,会发生一系列重定向,这些重定向会对用户进行身份验证并使用可以验证的一次性使用票证返回该应用程序。这成功发生,然后进行一次最终重定向,指示浏览器导航到原来的目标URL,现在它已经过验证的HTTP会话。间歇性地,IE11不遵循此重定向,而是重新提交包含一次性使用票证的请求。这会失败,因为故障单只能验证一次。
下面链接的Fiddler捕获概述(1 + 1地理冗余配置,其中蓝色是备用主机,红色是主要主机)。 ROOT(/),会话管理器和cas都是在tomcat中运行的独立应用程序: Fiddler Request Overview
-----不明原因的行为-----
请求/响应813 对包含一次性使用票证的原始目标应用程序发出最终请求。此票证在后端成功验证(可以通过日志判断),并且会向原始目标URL发出重定向。在这种情况下“/".
GET https://<primary>/login/cas?ticket=ST-392-40GUmY6GPkPC5QDPSCSF-lteperdrix HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 135.117.210.203
Cookie: XXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
Connection: Keep-Alive
DNT: 1
HTTP/1.1 302
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 01:00:00 CET
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Location: https://<primary>/
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:14 GMT
请求/响应814 IE不再按预期方式执行重定向,而是重新提交相同的请求。这失败了401,因为后端的票证验证失败。应该注意的是,此时您已成功通过身份验证,如果您手动访问重定向的目标URL,它可以正常工作。
GET https://<standby>/login/cas?ticket=ST-392-40GUmY6GPkPC5QDPSCSF-lteperdrix HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 135.117.210.203
DNT: 1
Connection: Keep-Alive
Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
HTTP/1.1 401
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 01:00:00 CET
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
Content-Language: fr-FR
Vary: Accept-Encoding
Date: Tue, 27 Mar 2018 13:52:14 GMT
Content-Length: 1242
-----完整请求细分-----
此问题底部的完整输出。 大部分流程都是通用的Spring Security和CAS功能。
请求/响应802 - 在备用主机上向我们的身份验证服务器(CAS)发送登录请求(包含来自第三方SSO解决方案的身份验证工件)。这将被重定向到主要主机不受影响。
请求/响应804 - 主认证服务器接受请求并验证身份验证工件,然后重定向到提供的服务URL
请求/响应805 - 使用一次性使用票据导航到第三方客户端提供的目标URL。发生在待机状态,因此它会重定向到主要原始状态。
请求/响应806 - 主服务器上的登录URL忽略故障单,并且由于浏览器已登录,因此重定向到默认登录URL“/”。
请求/响应807到812 - ROOT应用程序上的Spring Security过滤器拦截请求,缓存目标URL并通过CAS / Spring Security的标准重定向流程发送浏览器。
请求/响应813 - 浏览器重定向到ROOT应用上的Spring Security URL,并使用一次性身份验证票证。票证在支持后验证,浏览器通过最终重定向到请求807中的原始目标URL。
请求/响应814 - IE11不再遵循重定向,而是重新提交请求。
-----其他注释-----
我真的认为这是某种重定向缓存问题,但我无法看到导致它的原因。 no-cache,no-store缓存控制头是否应该告诉浏览器不缓存任何内容?
----- Raw Fiddler Capture -----
Request 802
GET https://<standby>/cas/login?service=https://<standby>/cas/login&client_name=XXXXClient&SAMLart=AAITGdXkYEZ%2F18QZblpXoKqlW28zhGh0dHBzOi8vc3Rhci5jYS5hbGNhdGVsLWx1Y2VudC5jb206ODQ0My90ZXN0L1NhbmVTaW11L3NhbmVSZXNvbHZlQXJ0aWZhY3Q%3D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <standby>
DNT: 1
Connection: Keep-Alive
HTTP/1.1 307
Location: https://<primary>:443/cas/login?service=https://<standby>/cas/login&client_name=XXXXClient&SAMLart=AAITGdXkYEZ%2F18QZblpXoKqlW28zhGh0dHBzOi8vc3Rhci5jYS5hbGNhdGVsLWx1Y2VudC5jb206ODQ0My90ZXN0L1NhbmVTaW11L3NhbmVSZXNvbHZlQXJ0aWZhY3Q%3D
Cache-Control: no-cache, no-store
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:10 GMT
------------------------------------------------------------------
Request 804
GET https://<primary>/cas/login?service=https://<standby>/cas/login&client_name=XXXXClient&SAMLart=AAITGdXkYEZ%2F18QZblpXoKqlW28zhGh0dHBzOi8vc3Rhci5jYS5hbGNhdGVsLWx1Y2VudC5jb206ODQ0My90ZXN0L1NhbmVTaW11L3NhbmVSZXNvbHZlQXJ0aWZhY3Q%3D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: XXXX_JSESSIONID=FEAEBFFEEA85FC3745F921DD0CDC31B2
Connection: Keep-Alive
Host: <primary>
HTTP/1.1 302
Cache-Control: no-store
Expires:
X-Application-Context: cas:native:8443
Set-Cookie: TGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxsQnhTVU41TjJvM1NuSkxWMVJmWTNWUGNUYzVXVkV1TXpkRlJsOHhjMTh4T1dWQlJIaDBVRmwyZDNOTU5XMUdlVTFLUVU5MmEyUndaMnBXUlhWeFVGUTRRbXA0Wm10eFkybFJlREJJWmpsaE1tRnZRWEJ1VTNaMmRqaFpaMmgyVTNGdFJsOWlXVWx6T0ZkUlRYZzFlV053UkdZMFYxcERWVlJWY2tGRlEyZFVValJ3YlhaMloyOXlOek51ZGpVemEzbGtVbUprYzNRNFR5MDVOSFU1YVVocmIwSTJjbmxCU0hCRWMyMXdNakpEY3pWWFdqZzJTVTVvVDJzME5TMVhjVVpKUld0RVFVeExYemt4TWxsTVZGcHdVMGQzT0ZaeWVrdFBTV3BQWkRoSWVtazNlbXRIZEhCSGExVklRUzVUWWxJdFIyZEpia0pUTTBOMWRrUnpURll4UzFsQg.Qpz34BWit8XpdYEcxMlavPDiNfGx8ZlAQcTSmDpCKsylSxPk6tltnKIf86acVXIyVcOlZJyHS3ERjSjTAWDebw; Expires=Wed, 27-Mar-2019 13:52:12 GMT; Path=/cas/; Secure; HttpOnly
Location: https://<standby>/cas/login?ticket=ST-54-pf2lZTUIgZ1imzsXwZgtGrrVUbec1OJziQc
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:12 GMT
------------------------------------------------------------------
Request 805
GET https://<standby>/cas/login?ticket=ST-54-pf2lZTUIgZ1imzsXwZgtGrrVUbec1OJziQc HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: <standby>
DNT: 1
HTTP/1.1 307
Location: https://<primary>:443/cas/login?ticket=ST-54-pf2lZTUIgZ1imzsXwZgtGrrVUbec1OJziQc
Cache-Control: no-cache, no-store
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:12 GMT
------------------------------------------------------------------
Request 806
GET https://<primary>/cas/login?ticket=ST-54-pf2lZTUIgZ1imzsXwZgtGrrVUbec1OJziQc HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
DNT: 1
Connection: Keep-Alive
Cookie: TGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxsQnhTVU41TjJvM1NuSkxWMVJmWTNWUGNUYzVXVkV1TXpkRlJsOHhjMTh4T1dWQlJIaDBVRmwyZDNOTU5XMUdlVTFLUVU5MmEyUndaMnBXUlhWeFVGUTRRbXA0Wm10eFkybFJlREJJWmpsaE1tRnZRWEJ1VTNaMmRqaFpaMmgyVTNGdFJsOWlXVWx6T0ZkUlRYZzFlV053UkdZMFYxcERWVlJWY2tGRlEyZFVValJ3YlhaMloyOXlOek51ZGpVemEzbGtVbUprYzNRNFR5MDVOSFU1YVVocmIwSTJjbmxCU0hCRWMyMXdNakpEY3pWWFdqZzJTVTVvVDJzME5TMVhjVVpKUld0RVFVeExYemt4TWxsTVZGcHdVMGQzT0ZaeWVrdFBTV3BQWkRoSWVtazNlbXRIZEhCSGExVklRUzVUWWxJdFIyZEpia0pUTTBOMWRrUnpURll4UzFsQg.Qpz34BWit8XpdYEcxMlavPDiNfGx8ZlAQcTSmDpCKsylSxPk6tltnKIf86acVXIyVcOlZJyHS3ERjSjTAWDebw; XXXX_JSESSIONID=FEAEBFFEEA85FC3745F921DD0CDC31B2
HTTP/1.1 302
Cache-Control: no-store
Expires:
X-Application-Context: cas:native:8443
Location: /
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:12 GMT
------------------------------------------------------------------
Request 807
GET https://<primary>/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
Cookie: XXXX_JSESSIONID=FEAEBFFEEA85FC3745F921DD0CDC31B2
Connection: Keep-Alive
DNT: 1
HTTP/1.1 302
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 01:00:00 CET
Set-Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE; Expires=Thu, 26-Apr-2018 13:52:12 GMT; Path=/; Secure; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Location: https://<primary>:443/session-manager/login?service=http
s%3A%2F%2F<primary>%2Flogin%2Fcas
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:12 GMT
------------------------------------------------------------------
Request 808
GET https://<primary>/session-manager/login?service=https%3A%2F%2F<primary>%2Flogin%2Fcas HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
Connection: Keep-Alive
DNT: 1
Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
HTTP/1.1 302
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE; Expires=Thu, 26-Apr-2018 13:52:13 GMT; Path=/; Secure; HttpOnly
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Location: https://<primary>/cas/login?service=https%3A%2F%2F<primary>%2Fsession-manager%2Flogin%2Fcas
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:12 GMT
------------------------------------------------------------------
Request 809
GET https://<primary>/cas/login?service=https%3A%2F%2F<primary>%2Fsession-manager%2Flogin%2Fcas HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
DNT: 1
Connection: Keep-Alive
Cookie: TGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxsQnhTVU41TjJvM1NuSkxWMVJmWTNWUGNUYzVXVkV1TXpkRlJsOHhjMTh4T1dWQlJIaDBVRmwyZDNOTU5XMUdlVTFLUVU5MmEyUndaMnBXUlhWeFVGUTRRbXA0Wm10eFkybFJlREJJWmpsaE1tRnZRWEJ1VTNaMmRqaFpaMmgyVTNGdFJsOWlXVWx6T0ZkUlRYZzFlV053UkdZMFYxcERWVlJWY2tGRlEyZFVValJ3YlhaMloyOXlOek51ZGpVemEzbGtVbUprYzNRNFR5MDVOSFU1YVVocmIwSTJjbmxCU0hCRWMyMXdNakpEY3pWWFdqZzJTVTVvVDJzME5TMVhjVVpKUld0RVFVeExYemt4TWxsTVZGcHdVMGQzT0ZaeWVrdFBTV3BQWkRoSWVtazNlbXRIZEhCSGExVklRUzVUWWxJdFIyZEpia0pUTTBOMWRrUnpURll4UzFsQg.Qpz34BWit8XpdYEcxMlavPDiNfGx8ZlAQcTSmDpCKsylSxPk6tltnKIf86acVXIyVcOlZJyHS3ERjSjTAWDebw; XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
HTTP/1.1 302
Cache-Control: no-store
Expires:
X-Application-Context: cas:native:8443
Set-Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE; Expires=Thu, 26-Apr-2018 13:52:13 GMT; Path=/; Secure; HttpOnly
Location: https://<primary>/session-manager/login/cas?ticket=ST-391-Z15wIU4u6vkgsAjcPxz0-lteperdrix
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:13 GMT
------------------------------------------------------------------
Request 810
GET https://<primary>/session-manager/login/cas?ticket=ST-391-Z15wIU4u6vkgsAjcPxz0-lteperdrix HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
Connection: Keep-Alive
DNT: 1
HTTP/1.1 302
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 CET
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Location: https://<primary>/session-manager/login?service=https%3A%2F%2F<primary>%2Flogin%2Fcas
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:13 GMT
------------------------------------------------------------------
Request 811
GET https://<primary>/session-manager/login?service=https%3A%2F%2F<primary>%2Flogin%2Fcas HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
Connection: Keep-Alive
DNT: 1
Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
HTTP/1.1 302
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: ssoid=4537493b5e104f9d9ea341a9d374996c; Secure; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Location: https://<primary>/cas/login?service=https://<primary>/login/cas
Content-Language: fr-FR
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:13 GMT
------------------------------------------------------------------
Request 812
GET https://<primary>/cas/login?service=https://<primary>/login/cas HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
DNT: 1
Connection: Keep-Alive
Cookie: TGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxsQnhTVU41TjJvM1NuSkxWMVJmWTNWUGNUYzVXVkV1TXpkRlJsOHhjMTh4T1dWQlJIaDBVRmwyZDNOTU5XMUdlVTFLUVU5MmEyUndaMnBXUlhWeFVGUTRRbXA0Wm10eFkybFJlREJJWmpsaE1tRnZRWEJ1VTNaMmRqaFpaMmgyVTNGdFJsOWlXVWx6T0ZkUlRYZzFlV053UkdZMFYxcERWVlJWY2tGRlEyZFVValJ3YlhaMloyOXlOek51ZGpVemEzbGtVbUprYzNRNFR5MDVOSFU1YVVocmIwSTJjbmxCU0hCRWMyMXdNakpEY3pWWFdqZzJTVTVvVDJzME5TMVhjVVpKUld0RVFVeExYemt4TWxsTVZGcHdVMGQzT0ZaeWVrdFBTV3BQWkRoSWVtazNlbXRIZEhCSGExVklRUzVUWWxJdFIyZEpia0pUTTBOMWRrUnpURll4UzFsQg.Qpz34BWit8XpdYEcxMlavPDiNfGx8ZlAQcTSmDpCKsylSxPk6tltnKIf86acVXIyVcOlZJyHS3ERjSjTAWDebw; XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
HTTP/1.1 302
Cache-Control: no-store
Expires:
X-Application-Context: cas:native:8443
Location: https://<primary>/login/cas?ticket=ST-392-40GUmY6GPkPC5QDPSCSF-lteperdrix
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:13 GMT
------------------------------------------------------------------
Request 813
GET https://<primary>/login/cas?ticket=ST-392-40GUmY6GPkPC5QDPSCSF-lteperdrix HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
Connection: Keep-Alive
DNT: 1
HTTP/1.1 302
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 01:00:00 CET
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Location: https://<primary>/
Content-Length: 0
Date: Tue, 27 Mar 2018 13:52:14 GMT
------------------------------------------------------------------
Request 814
GET https://<primary>/login/cas?ticket=ST-392-40GUmY6GPkPC5QDPSCSF-lteperdrix HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: <primary>
DNT: 1
Connection: Keep-Alive
Cookie: XXXX_JSESSIONID=13EF4B22BF22A3B80F799DEDEE9527CE
HTTP/1.1 401
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 01:00:00 CET
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
Content-Language: fr-FR
Vary: Accept-Encoding
Date: Tue, 27 Mar 2018 13:52:14 GMT
Content-Length: 1242
<!DOCTYPE html>
.
.
.
</html>