如何基于Cookie检索相应的HttpSession
[英]How to retrieve the corresponding HttpSession based on Cookie
问题描述
I would like to set up a mechanism to track every user http session based using a Cookie object. 
我想建立一种机制,以使用Cookie对象跟踪每个用户的http会话。 Therefore I store the user ID in a Cookie which I will communicate then to the client in the response body (once the login process is successful) such as : 因此,我将用户ID存储在Cookie中,然后我将其与响应主体中的客户端进行通信(一旦登录过程成功),例如:
Cookie loginCookie = new Cookie("userId", userId);
httpServletResponse.addCookie(loginCookie);
I have a got three questions please : 请问三个问题:
1) How to retrieve a given user http session based on his Cookie ? 1)如何基于用户的Cookie检索给定用户的HTTP会话? Shall I store the JSESSIONID instead of the userId for this purpose? 为此,我是否应该存储JSESSIONID而不是userId?
2) Encrypting the user cookie won't prevent the cookie from being compromised by some attacker eavesdroping the communication between the client and the server. 2)对用户cookie进行加密不会阻止窃听者窃听客户端与服务器之间的通信,从而破坏cookie。 Thus the attacker could reuse the cookie to request the server as being the actual user since the same cookie is being communicated each time the user requests the server. 因此,由于每次用户请求服务器时都会传达相同的cookie,因此攻击者可以重用cookie来请求服务器作为实际用户。 I don't really see where encrypting the cookie could help. 我真的看不到在哪里加密cookie会有帮助。 Shall I use a digital signature algorithm as well in order to authenticate the sender? 我也应该使用数字签名算法来验证发件人吗?
1 个解决方案
解决方案1
0 已采纳 2017-02-13 21:22:57
You should store the session ID in the cookie, and the user ID in the server-side session.
您应该将会话ID存储在cookie中,并将用户ID存储在服务器端会话中。 Cookie re-use should not be an issue if you are using https, which mitigates the risk of eavsdropping.
如果您使用的是https,则Cookie的重用应该不会成为问题,这样可以降低窃听的风险。 If you are not using https, no manner of encryption will help you. 如果您不使用https,则没有任何加密方法可以帮助您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.