简体繁体 English

JSESSIONID存储在哪里？（JavaEE的）

[英]Where is JSESSIONID stored? (JavaEE)

原文 2012-05-13 07:35:33 5 2 java/ jsp/ java-ee/ applet/ jsessionid

I have two applications - A Java EE web application and a Java SE applet. 我有两个应用程序 - 一个Java EE Web应用程序和一个Java SE applet。 I want to authenticate a user in the applet by means of a JSESSIONID (which is created by the web application). 我想通过JSESSIONID（由Web应用程序创建）在applet中验证用户。

So there is a problem - how to associate this JSESSIONID with a particular user? 所以有一个问题 - 如何将这个JSESSIONID与特定用户相关联？

How to check (on the web server application side) which user is represented by such JSESSIONID? 如何检查（在Web服务器应用程序端）哪个用户由这样的JSESSIONID表示？ In the applet I will be reading it from a cookie, and then I want to write a simple Servlet which will accept this JSESSIONID as a POST message. 在applet中，我将从cookie中读取它，然后我想编写一个简单的Servlet，它将接受此JSESSIONID作为POST消息。 Thereafter I would like to write in the response nothing at all when the JSESSIONID is bad, and the user info if JSESSIONID is good (ie is representing someone). 此后，当JSESSIONID不好时，我想在响应中写任何内容，如果JSESSIONID是好的（即代表某人），则用户信息。

Does anyone know how to do this? 有谁知道如何做到这一点？

2 个解决方案

JSESSIONID is a low-level mechanism that you typically shouldn't care about. JSESSIONID是一种您通常不应该关心的低级机制。 On the server side the servlet container transparently translates JSESSIONID to an HttpSession object available in the servlet. 在服务器端，servlet容器透明地将JSESSIONID转换为servlet中可用的HttpSession对象。 The session id is passed to the server transparently as well using Cookie header or URL rewriting. 会话ID也使用Cookie头或URL重写透明地传递给服务器。

So if you are clicking on a link or posting an ordinary form in a webpage, the browser automatically passes JSESSIONID cookie or attaches it to URL. 因此，如果您点击链接或在网页中发布普通表单，浏览器会自动传递JSESSIONID cookie或将其附加到URL。

Your design has a major flaw: secure servlet containers should add HttpOnly attribute to JSESSIONID cookie (see: How do you configure HttpOnly cookies in tomcat / java webapps? ) This is to prevent JavaScript from reading JSESSIONID cookie for security reasons - like hijacking user session. 您的设计有一个主要缺陷：安全的servlet容器应该将HttpOnly属性添加到JSESSIONID cookie（请参阅：如何在tomcat / java webapps中配置HttpOnly cookie？）这是为了防止JavaScript出于安全原因读取JSESSIONID cookie - 比如劫持用户会话。 Your applet might not even see that cookie! 您的小程序可能甚至看不到该cookie！

I don't know much about applet s, but I would advice you to perform HTTP request via web browser somehow so the security identification (cookie) is handled automatically. 我不太了解applet ，但我建议你通过Web浏览器以某种方式执行HTTP请求，以便自动处理安全标识（cookie）。

The Java EE container will do most of the work for you. Java EE容器将为您完成大部分工作。 There are a couple of short-cuts you can take depending on with authentication method you use and the details of how the container behaves. 您可以使用几个快捷方式，具体取决于您使用的身份验证方法以及容器行为方式的详细信息。 I'll ignore those short-cuts for now. 我暂时不理会那些捷径。 I am assuming that the user provides their information to the web application in some form - for example by logging in. 我假设用户以某种形式向Web应用程序提供他们的信息 - 例如通过登录。

When the user logs in, create a session (if one doe snot already exist) and add their user name (and any other details you like) to the session as session attributes. 当用户登录时，创建会话（如果已存在一个doe snot）并将其用户名（以及您喜欢的任何其他详细信息）作为会话属性添加到会话中。

When a request comes in that already has a session, just retrieve the user details from the session. 当请求进入已有会话时，只需从会话中检索用户详细信息。 The container takes care of mapping the session ID in the request to the right session object and making that available to the request. 容器负责将请求中的会话ID映射到正确的会话对象，并使其可用于请求。

If the session ID is invalid, the container will not associate a session object to the request. 如果会话ID无效，则容器不会将会话对象与请求关联。

One final thing to watch out for is HttpOnly cookies. 最后要注意的是HttpOnly cookies。 Containers should be using these by default for session IDs (to protect against XSS attacks). 容器应默认使用这些会话ID（以防止XSS攻击）。 For the session ID to be available to the applet you'll need to disable the HttpOnly protection for the session cookies. 要使applet可用的会话ID，您需要禁用会话cookie的HttpOnly保护。 This means that if you application has an XSS vulnerability it will be easy for an attacker to steal user session cookies. 这意味着如果您的应用程序有XSS漏洞，攻击者很容易窃取用户会话cookie。