为什么我不能在客户端的GWT中获得JSESSIONID cookie?
[英]Why can't I get the JSESSIONID cookie in GWT on the client side?
问题描述
I have my GWT code in an index.jsp page, and when I view the page info (security/cookies), I see the JSESSIONID cookie assigned to 'subdomain.mysite.com'. 
我在index.jsp页面中有我的GWT代码,当我查看页面信息(安全性/ cookie)时,我看到分配给'subdomain.mysite.com'的JSESSIONID cookie。
When in my client-side code, I do this: 在客户端代码中,我这样做:
Window.alert("cookies=" + Cookies.getCookieNames().toString);
I see two cookies that are assigned to 'mysite.com', but I do not see the JSESSIONID. 我看到两个分配给“ mysite.com”的cookie,但没有看到JSESSIONID。 The current url for the page is 'subdomain.mysite.com' - shouldn't it be giving me the cookie? 该页面的当前网址是“ subdomain.mysite.com”-它是否应该给我Cookie? When I refresh, or display the cookies on a click event, I still do not see the JSESSIONID cookie. 刷新或在单击事件中显示cookie时,仍然看不到JSESSIONID cookie。
Why can't I get it on the client side? 为什么我不能在客户端获得它?
2 个解决方案
解决方案1
7 已采纳 2012-01-03 14:53:25
Is your application server configured to set the HTTPOnly flag on the JSESSIONID cookie? 您的应用程序服务器是否配置为在JSESSIONID cookie上设置HTTPOnly标志? If so, client side code will not be able to see it 如果是这样,客户端代码将无法看到它
See https://www.owasp.org/index.php/HttpOnly 参见https://www.owasp.org/index.php/HttpOnly
It is generally good security practice to set the HTTPOnly flag - can you clarify why you want access to the JSESSIONID cookie in your client side code? 设置HTTPOnly标志通常是一种很好的安全实践-您能否阐明为什么要访问客户端代码中的JSESSIONID cookie?
解决方案2
0 2012-01-03 14:56:31
That will indeed happen if the HTTPOnly flag is set on the cookie, as explained by Chi. 如Chi所述,如果在Cookie上设置了HTTPOnly标志,则确实会发生这种情况。 If your sole purpose is to get the current session ID in JavaScript context, then you could just let JSP/EL print it as if it's a JS variable: 如果您的唯一目的是在JavaScript上下文中获取当前会话ID,则可以让JSP / EL将其打印为JS变量:
<script>var jsessionid = '${pageContext.session.id}';</script>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.