在与Tomcat Web服务器对话期间,是否应检查JSESSIONID是否更改?
[英]during a conversation with a Tomcat web server shall I check if JSESSIONID changes?
问题描述
There's a Java code which emulates browser behaviour. 
有一个Java代码可以模拟浏览器的行为。 It does a stateful conversation with a Tomcat server, for example: login, doSomething, logout. 它与Tomcat服务器进行有状态对话,例如:login,doSomething,logout。
The current implementation is like this: 当前的实现是这样的:
- http post to "login" page, store returned cookie (assume it's JSESSIONID=9845). http发布到“登录”页面上,存储返回的cookie(假设它是JSESSIONID = 9845)。
- http post to "doSomething" page, pass stored cookie (JSESSIONID=9845) with the request, do nothing with response headers (ignoring further cookies) http发布到“ doSomething”页面,将存储的cookie(JSESSIONID = 9845)与请求一起传递,对响应标头不做任何事情(忽略其他cookie)
- http get to "logout" page, pass stored cookie (JSESSIONID=9845) with the request. http转到“注销”页面,将存储的cookie(JSESSIONID = 9845)与请求一起传递。
This is working fine. 一切正常。
However I do not know if it's safe to ignore response headers in step 2. Should I expect the server changing the value of JSESSIONID during the conversation, or not? 但是,我不知道在步骤2中忽略响应头是否安全。我是否应该期望服务器在会话期间更改JSESSIONID的值 ?
In other words, what to do if in step 2. the server returns Set-Cookie=[JSESSIONID=9846] in the response headers? 换句话说,如果在步骤2中,服务器在响应头中返回Set-Cookie = [JSESSIONID = 9846],该怎么办?
I can imagine the followings: 我可以想象以下内容:
- this can't happen in real life, not worth to check it, current code is fine. 这在现实生活中不可能发生,不值得检查,当前代码很好。
- this signals a serious problem with the Tomcat server, worth check it, and the code should stop the conversation without further calls 这表明Tomcat服务器存在严重问题,值得对其进行检查,并且代码应停止对话而无需进一步调用
- it's legal, the Tomcat server just wants to use a new identifier for the session, so I have to store the new value, and use it with subsequent calls. 合法,Tomcat服务器只想为会话使用新的标识符,因此我必须存储新值,并将其与后续调用一起使用。 The current code should be completed. 当前代码应完成。
I guess that real browsers do the 3. option from the above, but maybe 1. and 2. option is also acceptable? 我猜想真正的浏览器会执行上述的3.选项,但是也许1.和2.选项也可以接受吗?
1 个解决方案
解决方案1
1 已采纳 2017-10-17 07:35:20
Typically the session changes on login and logout, means that you can expect to be safe largely (but read on, I only said "typically"). 通常,会话会在登录和注销时发生变化,这意味着您可以在很大程度上确保安全(但是请继续阅读,我只是说“通常”)。 You're asking if it's safe to ignore the HTTP spec - and I'd argue that it isn't, as there always can be unexpected changes that make your app hard to maintain or upgrade the infrastructure. 您在问忽略HTTP规范是否安全-我认为事实并非如此,因为总是会发生意想不到的更改,从而使您的应用难以维护或升级基础架构。
One of those hard to find things will be: If, one day, you start deploying your app on a cluster with sticky sessions, tomcat will tag the session id with the cluster machine, eg your session identifiers will rather look like 9846;node3 . 很难找到的事情之一是:如果有一天,您开始在具有粘性会话的群集上部署应用程序,tomcat将使用群集计算机标记会话ID,例如,您的会话标识符将看起来像9846;node3 。 While this still won't change typically, it will when node 3 gets shut down and the next request gets rebalanced to another node: 9846;node1 . 尽管这通常不会改变,但它将在节点3关闭并且下一个请求重新平衡到另一个节点: 9846;node1 。
If your "login, do something, logout" operations are always semi-atomic (eg following each other immediately), the probability of node 3 going down in between the three requests is probably negligible. 如果您的“登录,执行某项操作,退出”操作始终是半原子操作(例如,立即彼此跟随),则节点3在三个请求之间掉线的可能性可能微不足道。 If you keep the session open for a while, you might want to cattter for such an event. 如果您将会话保持打开状态一段时间,则您可能想要处理此类事件。
In summary: Is it advisable to ignore the HTTP-spec? 总结:建议忽略HTTP规范吗? No. Will you most likely get away doing so: You decide. 不。您最有可能这样做吗:您决定。 I gave one example where it will bite you, probably years ahead. 我举了一个例子,它可能会咬你,可能会提前几年。 You might get away with it easily. 您可能会轻易摆脱它。 Your implementation will likely be a lot easier (to maintain) if you ignore the spec. 如果您忽略规范,您的实现可能会容易得多(易于维护)。 But the mistake will be harder to find, as the issues might be seemingly random and rare when they show up in future, eg a debugging nightmare. 但是错误将更难发现,因为问题在将来出现时似乎是随机的,很少出现,例如调试的噩梦。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.