我的一些用户最终得到了2个Cookie。他们的浏览器将两者都发送到服务器,而Tomcat似乎使用与上下文根相匹配的第二个cookie。
这是怎么发生的?我怎么能阻止它?
我只想要没有尾随斜杠的cookie。
例如,浏览器发送:
JSESSIONID with path /foo
JSESSIONID with path /foo/
编辑:
Tomcat有一个影响这个的变量。我没有指定它,我看到Chrome中出现了重复的Cookie问题。
sessionCookiePathUsesTrailingSlash - Some browsers, such as Internet Explorer, Safari and Edge, will send a session cookie for a context with a path of /foo with a request to /foobar in violation of RFC6265. This could expose a session ID from an application deployed at /foo to an application deployed at /foobar. If the application deployed at /foobar is untrusted, this could create a security risk. However, it should be noted that RFC 6265, section 8.5 makes clear that path alone should not be view as sufficient to prevent untrusted applications accessing cookies from other applications. To mitigate this risk, this attribute may be set to true and Tomcat will add a trailing slash to the path associated with the session cookie so, in the above example, the cookie path becomes /foo/. However, with a cookie path of /foo/, browsers will no longer send the cookie with a request to /foo. This should not be a problem unless there is a servlet mapped to /*. In this case this attribute will need to be set to false to disable this feature. The default value for this attribute is false.
答案 0 :(得分:0)
在过去的过期日期的路径中发送带有斜杠的 Cookie。浏览器不应再发送过期的 cookie。