会话如何与Weblogic 12 c配合使用-关闭浏览器似乎会使会话或cookie无效
[英]How session works with Weblogic 12 c - Closing browser seems to invalidate the session or the cookie
问题描述
In our weblogic java ee application the <cookie-max-age-secs> param is set to -1 (not expire) 
在我们的weblogic Java EE应用程序中, <cookie-max-age-secs>参数设置为-1(不过期)
The weblogic <timeout-sec> param is set to 1800 sec (30 mins) weblogic <timeout-sec>参数设置为1800秒(30分钟)
The user logs in and then closes the browser (X close).
用户登录,然后关闭浏览器(X关闭)。 The user reopen the browser (after a few secs) and and clicks on the previous address.
用户重新打开浏览器(几秒钟后),然后单击上一个地址。
Expected behavior: The browser sends the cookie (which is not expired) and Weblogic recognizes the cookie ID, which is still associated with a session and lets the user automatically log in in the application . 预期行为:浏览器发送cookie(未过期),Weblogic识别仍与会话关联的cookie ID,并允许用户自动登录应用程序 。
Actual behavior: The user is prompted with the login screen and has to re-login. 实际行为:出现登录屏幕提示用户,并且必须重新登录。
It seems like the browser invalidates the cookie during the browser (X close) and doesn't send it to the application. 似乎浏览器在浏览器(X关闭)期间使cookie无效,并且没有将其发送到应用程序。
Note: Clear browser cache on browser close is NOT checked. 注意:未选中在浏览器关闭时清除浏览器缓存。 Also we don't destroy the session on browser close (nothing fancy like that) 另外,我们不会在浏览器关闭时销毁会话(没什么好看的)
How is this possible? 这怎么可能? I'm I missing something here? 我在这里想念什么吗?
To make things even more harder: If you are in developer mode (F12) and you're capturing the requests (Network tab) when you close (x close) and reopen You are automatically logged in. 使事情变得更加困难:如果您处于开发人员模式(F12),并且在关闭(x关闭)并重新打开时正在捕获请求(“网络”选项卡), 则会自动登录。
Same exact test but different behavior. 完全相同的测试,但行为不同。 How can it be? 怎么可能?
Thanks in advance. 提前致谢。
1 个解决方案
解决方案1
1 2015-02-19 19:44:31
Browser close deletes the JSESSIONID cookie. 浏览器关闭会删除JSESSIONID cookie。
The actual behaviour is the desired/expected one. 实际行为是期望的/预期的 行为 。 This is because JSESSION ID is deleted by the browser on browser close. 这是因为在关闭浏览器时浏览器删除了JSESSION ID。
So when you reopen the browser and send a request to your application the browser is NOT sending any cookie ( NO JSESSIONID) to the web application . 因此,当您重新打开浏览器并向您的应用程序发送请求时,浏览器不会向Web应用程序发送任何cookie(NO JSESSIONID) 。 Thus you are prompted with the login screen. 这样,登录屏幕将提示您。
Note: The session object is still in memory, but there is no way to access it at this point. 注意:会话对象仍在内存中,但是目前无法访问它。 Some time after the timeout will be reached (30 min is your case) a low priority thread will remove the session object. 达到超时时间后(您的情况是30分钟),低优先级线程将删除会话对象。
Now let's consider the bizarre case (Developer tools opened): 现在让我们考虑一个奇怪的情况(已打开开发人员工具):
My bet is that your developer tools windows is open in a new window and this window is not closed when you close the browser. 我敢打赌,您的开发人员工具窗口会在新窗口中打开,并且在关闭浏览器时不会关闭此窗口。 This is preventing the deletion of the JSESSIOID. 这可以防止删除JSESSIOID。
Thus, in this case your browser sends the JSESSIOID cookie in the request header and since we said before that your session object is still in memory, weblogic accepts it. 因此,在这种情况下,您的浏览器在请求标头中发送JSESSIOID cookie,并且由于我们之前曾说过您的会话对象仍在内存中,因此weblogic接受它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.