饼干 <path> / </path> 和JSESSIONID
[英]cookies with <path>/</path> and JSESSIONID
问题描述
I am experimenting with setting the cookie path in my application's web.xml (as suggested here ) to: 
我正在尝试在我的应用程序的web.xml中设置cookie路径(如此处所示 ):
<session-config>
<cookie-config>
<path>/</path>
</cookie-config>
</session-config>
So I deploy two identical web applications to localhost:8080/application-a and localhost:8080/application-b respectively. 因此,我将两个相同的Web应用程序部署到localhost:8080/application-a和localhost:8080/application-b 。
Each application is a single servlet: 每个应用程序都是一个servlet:
public class ControllerServlet extends HttpServlet{
@Override
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
HttpSession session = req.getSession(false);
if (session == null) {
session = req.getSession(true);
System.out.printf("No session was present - new one created with JSESSIONID=[%s]\n", session.getId());
} else {
System.out.printf("JSESSIONID cookie was present and HttpSession objects exists with JSESSIONID=[%s]\n", session.getId());
}
}
}
I deploy the apps to a Tomcat 8.5 container (tried with Tomcat 9 as well the behavior is the same). 我将应用程序部署到Tomcat 8.5容器(尝试使用Tomcat 9,行为也是如此)。 When I visit with my browser the application-a , here's what I see: 当我使用我的浏览器访问application-a ,这是我看到的:
… and on the Tomcat logs I read: ...在我读到的Tomcat日志上:
No session was present - new one created with JSESSIONID=[A227B147A4027B7C37D31A4A62104DA9]
So far so good. 到现在为止还挺好。 When I then visit application-b here's what I see: 当我访问application-b ,我看到的是:
… and the Tomcat logs show: ...和Tomcat日志显示:
No session was present - new one created with JSESSIONID=[5DC8554459233F726628875E22D57AD5]
This is also very well as explained here and also in this answer and I quote: 这也很好,正如这里所解释的那样,我也引用了这个答案 :
SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level.
So even though on the request the JSESSIONID cookie was present, my application (the one deployed in application-b ) was unable to find an HttpSession object in its own servlet context scope and so a new session object was created and a new value was assigned to the JSESSIONID cookie. 因此,即使在请求中存在JSESSIONID cookie,我的应用程序(部署在application-b中的application-b )也无法在其自己的servlet上下文范围中找到HttpSession对象,因此创建了一个新的会话对象并分配了一个新值到JSESSIONID cookie。
However, when I now go back to my application-a I find out that because of the / value configured for the cookie path, it is now trying to use the JSESSIONID value set by application-b and of course its servlet doesn't find such a session object in its own context ( application-a ) and so a new value for the JSESSIONID cookie is created which will in turn invalidate the session of the application-b application and so on and so forth ad infinitum as I switch back and forth between the two applications. 但是,当我现在回到我的application-a我发现由于为cookie路径配置了/ value,它现在尝试使用application-b设置的JSESSIONID值,当然它的servlet找不到这样一个会话对象在它自己的上下文( application-a )中,因此创建了一个JSESSIONID cookie的新值,这将反过来使application-b应用程序的会话无效等等,因为我切换回来时无限制两个申请之间。
So my questions are: 所以我的问题是:
1 given the above behavior it would seem impossible for two applications to use the same JSESSIONID cookie value as the key to their respective HttpSession objects. 1鉴于上述行为,两个应用程序似乎不可能使用相同的JSESSIONID cookie值作为其各自HttpSession对象的键。 So in fact not only are the HttpSession objects always different and scoped at the application (servlet context) level but also, in practice, the JSESSIONID values have to be different. 因此实际上不仅HttpSession对象总是不同并且在应用程序(servlet上下文)级别作用域,而且实际上, JSESSIONID值必须是不同的。 Is that correct? 那是对的吗?
2 If so, then why does the servlet specification use the wording: 2如果是这样,那么为什么servlet规范使用了这样的措辞:
The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts [...]
The only way I can imagine the above could be accomplished would be to have a way to hardcodedly provide the JSESSIONID value to use when a new session object is created? 我可以想象上面唯一可以实现的方法是有一种方法可以硬编码地提供在创建新会话对象时使用的JSESSIONID值吗? But I don't see an API for that. 但我没有看到API。
3 Is there a way I can have some other cookies be shared among applications using the / path in the <session-config> XML element but not have the / path apply to the JSESSIONID cookie? 3有没有办法可以使用<session-config> XML元素中的/ path在应用程序之间共享其他cookie,但是没有将/ path应用于JSESSIONID cookie? In other words does the <session-config> apply to all cookies of an application or only the cookie used for session tracking? 换句话说,<session-config>是应用于应用程序的所有cookie还是仅适用于会话跟踪的cookie? ( JSESSIONID ) ? ( JSESSIONID )?
1 个解决方案
解决方案1
2 已采纳 2016-11-23 19:28:14
Upon further experimentation and taking a cue from this answer it would appear that for the same JSESSIONID to be used for all web applications it is necessary to set the following attribute in context.xml: 经过进一步的实验并从这个答案中得到一个提示,似乎对于所有Web应用程序使用相同的JSESSIONID,有必要在context.xml中设置以下属性:
<Context ... sessionCookiePath="/">
Either the Tomcat-wide context.xml or the WAR-specific context.xml will do. 无论是Tomcat的范围context.xml中或特定WAR-context.xml的就行了。 The <cookie-config><path> value configured in the WAR's web.xml is apparently ignored. 显然忽略了WAR的web.xml中配置的<cookie-config><path>值。
Regarding point 3 of my question I 've found that the way to set paths for other cookies is to programmatically create many of them, one for each path, and add them in the response object with the addCookie method. 关于我的问题的第3点,我发现为其他cookie设置路径的方法是以编程方式创建其中的许多路径,每个路径一个,并使用addCookie方法将它们添加到响应对象中。 The configurations in web.xml or context.xml are appicable to other cookies beyond the session cookie. web.xml或context.xml中的配置适用于会话cookie之外的其他cookie。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.