Java Cookie.setMaxAge(0)的行为是否归因于实现,还是有规范?
[英]Is the behaviour of Java Cookie.setMaxAge(0) down to implementation or is there a specification?
问题描述
I have a web application running on an old modified Tomcat installation. 
我有一个在旧的修改过的Tomcat安装上运行的Web应用程序。 In order to delete a session cookie after logout, I have the following code: 为了注销后删除会话cookie,我有以下代码:
Cookie sessionCookie = new Cookie("session",null);
sessionCookie.setMaxAge(0);
response.addCookie(sessionCookie);
In my web application, I have a problem in that it is returning the current time as the expires portion of the cookie: 在我的Web应用程序中,我有一个问题,因为它在cookie的过期部分返回当前时间:
Set-Cookie: sesssion=null; Expires=Sat, 18-Feb-2012 18:04:52 GMT
The problem is it only takes a client's PC to be a little behind the server for it to carry on sending the cookie! 问题在于,仅需将客户端PC置于服务器后方即可继续发送Cookie!
However, in Tomcat 5.5, it returns: 但是,在Tomcat 5.5中,它返回:
Set-Cookie: session=null; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Which is the more desired behaviour. 这是更理想的行为。
My question is are both correct, is there any official guide on how this should be implemented, the documentation just states: 我的问题都是正确的,是否有任何官方指南应如何实施,文档仅指出:
A zero value causes the cookie to be deleted.
Perhaps I will have to add the Set-Cookie: header myself to get around this behaviour? 也许我必须自己添加Set-Cookie:标头才能解决此问题?
2 个解决方案
解决方案1
1 2012-02-18 18:37:02
It seems there is nothing in the specification very specific about the implementation of that method. 规范中似乎没有关于该方法的实现非常具体的说明。
However, you should never rely on cookies being immediately deleted by the browser, you shouldnt even rely to the browser deleting the cookie at all, since from the server you don't have control over the client behavior at all. 但是,您永远不应该依赖浏览器立即删除cookie,甚至不应该依赖浏览器完全删除cookie,因为从服务器根本就无法控制客户端的行为。
What are you storing in that cookie, could you simply use the session already managed by the container? 您存储在该Cookie中的内容是什么,您可以简单地使用容器已经管理的会话吗?
When you invalidate a Session on the server, even if the cookie stays on the browser it wont matter since it will be invalidated server side and the session ID in the cookie will not match an existing session anymore, and the objects that were bound to that session will be destroyed. 当您使服务器上的会话无效时,即使cookie停留在浏览器上也没关系,因为它将在服务器端无效,并且cookie中的会话ID将不再与现有会话匹配,并且绑定到该对象的对象也将不再匹配。会话将被销毁。
解决方案2
0 2012-02-18 18:32:22
The browser will expire a cookie if the expire time <= current time. 如果到期时间<=当前时间,浏览器将使cookie到期。
If you're doing it manually, most people would return 0 epoch (which is what you're seeing with tomcat 5.5) or at the very least the current time minus some amount of time to account for clock drift. 如果您手动执行此操作,那么大多数人会返回0个纪元(这是您在tomcat 5.5中看到的),或者至少返回当前时间减去某个时间来解决时钟漂移。 That being said, you can never account for an end user's computer's clock being completely hosed. 话虽如此,您永远无法解释最终用户的计算机时钟已完全中断。
Even tomcat 5.5 is old software. 甚至tomcat 5.5也是旧软件。 It's EOL is September of this year (2012). EOL是今年9月(2012)。 It sounds like your problem is that you're running an ancient version of tomcat (or java) which hasn't been upgraded or maintained. 听起来您的问题是您运行的是旧版的tomcat(或Java),但尚未升级或维护。 Occasionally you do have to upgrade things. 有时您确实需要升级。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.