Java应用程序Servlet 3中的httponly和安全标志
[英]httponly and secure flags in java application servlet 3
问题描述
I'm trying to setup an application with httponly and secure flags set to true but as soon as I edit my web.xml file by adding the requested cookie-config tag as follows: 
我正在尝试将httponly和安全标志设置为true来设置应用程序,但是一旦我通过添加请求的cookie-config标记来编辑我的web.xml文件,如下所示:
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
I get a ViewExpiredException at the first command link submitted. 我在提交的第一个命令链接处收到ViewExpiredException。
The complete session-config tag in my web.xml file is 我的web.xml文件中的完整session-config标签是
<session-config>
<session-timeout>5</session-timeout>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I've been trying to understand what the error could be but can't find anything. 我一直试图了解错误可能是什么,但找不到任何东西。
My managed bean is annotated as @SessionScoped while the command link is calling a method in the bean through ajax. 当命令链接通过ajax在bean中调用方法时,我的托管bean被注释为@SessionScoped。
1 个解决方案
解决方案1
1 已采纳 2017-09-11 12:46:48
Secure on cookie means that the cookie will only be set for HTTPS connections. 基于Cookie的Secure意味着将仅针对HTTPS连接设置Cookie。
If you access your app through http, the cookie will not be transmitted and there will be no session (and so no session- or view-scoped beans or the view state at all). 如果您通过http访问您的应用程序,则不会传输cookie,也就不会有会话(因此也就不会有会话或视图作用域的bean或视图状态)。
You can switch your state-saving to client-side, but what you actually want is using HTTPS. 您可以将状态保存状态切换到客户端,但实际上需要使用HTTPS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.