每页多个有状态iframe是否会覆盖JSESSIONID? [英] multiple stateful iframes per page will overwrite JSESSIONID?

查看:279
本文介绍了每页多个有状态iframe是否会覆盖JSESSIONID?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

寻找某人来确认或驳斥我的理论,即
在相同域中的
上部署指向两个不同状态页面的两个iframe会导致JSESSIONID被覆盖。这就是我
的意思:

Looking for someone to either confirm or refute my theory that deploying two iframes pointing to two different stateful pages on the same domain can lead to JSESSIONIDs being overwritten. Here's what I mean:

设置


  1. 假设您有两个页面需要HttpSession状态(会话
    相似性)才能正常运行-部署在 http ://www.foo.com/ page1
    http: //www.foo.com/ page2

  2. 假定www.foo.com是运行Tomcat的单个主机(6.0.20,以前版本) )将JSESSIONID用于会话ID的

  3. 假定将这些页面转换成两个iframe小部件,将其嵌入到第三方网站上的
    中:http:// www。 site.com/page1
    />(分别为/ page2)

  4. 假设有一个第三方网站希望将两个小部件都放在
    的同一页面上 http:// www bar.com /foowidgets.html

  1. suppose you have two pages that require HttpSession state (session affinity) to function correctly - deployed at http://www.foo.com/page1 and http://www.foo.com/page2
  2. assume www.foo.com is a single host running a Tomcat (6.0.20, fwiw) that uses JSESSIONID for session id's.
  3. suppose these pages are turned into two iframe widgets to be embedded on 3rd party sites: http://www.site.com/page1" /> (and /page2 respectively)
  4. suppose there a 3rd party site that wishes to place both widgets on the same page at http://www.bar.com/foowidgets.html

是否可能发生以下比赛情况?


  1. 新访客访问 http://www.bar .com / foowidgets.html

  2. 浏览器开始在foowidgets.html中加载URL,包括两个
    iframe'src'URL

  3. 因为浏览器针对同一台
    主机打开多个并发连接(在chrome / ff情况下afaik最多为6个),因此浏览器碰巧
    同时发出对 http://www.foo.com/page1
    http://www.foo.com/page2

  4. tomcat @ foo.com大约同时接收两个请求,
    第一次调用getSession()(在两个不同的线程上),
    懒惰地创建两个HttpSession,并因此创建了两个JSESSIONID,其中
    的值分别为$ Page1和$ Page2。这些请求还将数据填充到相应的
    会话中(该数据将需要处理后续请求)

  5. 假定浏览器首先收到对page1
    请求的响应。浏览器为主机设置cookie JSESSIONID = $ Page1 www.foo.com

  6. 收到对page2请求的下一个响应,浏览器
    覆盖cookie 使用$ Page2

  7. 的HOST www.foo.com用户在foowidgets.html上的 page1 iframe中单击某些内容;
    浏览器向
    发出第二个请求 http://www.foo.com/ page1?action = doSomethingStateful 。该请求
    带有JSESSIONID = $ Page2(而不是$ Page1-因为cookie值被覆盖了

  8. 当foo.com收到此请求时,它看起来错误的
    HttpSession实例
    (因为JSESSIONID密钥是$ Page2而不是
    $ Page1)。吧!

  1. a new visitor goes to http://www.bar.com/foowidgets.html
  2. browser starts loading URLs in foowidgets.html including the two iframe 'src' URLs
  3. because browsers open multiple concurrent connections against the same host (afaik up to 6 in chrome/ff case) the browser happens to simultaneously issue requests for http://www.foo.com/page1 and http://www.foo.com/page2
  4. The tomcat @ foo.com receives both requests at about the same time, calls getSession() for the first time (on two different threads) and lazily creates two HttpSessions and, thus, two JSESSIONIDs, with values $Page1 and $Page2. The requests also stuff data into respective sessions (that data will be required to process subsequent requests)
  5. assume that the browser first receives response to the page1 request. Browser sets cookie JSESSIONID=$Page1 for HOST www.foo.com
  6. next response to the page2 request is received and the browser overwrites cookie JSESSIONID for HOST www.foo.com with $Page2
  7. user clicks on something in 'page1' iframe on foowidgets.html; browser issues 2nd request to http://www.foo.com/page1?action=doSomethingStateful. That request carries JSESSIONID=$Page2 (and not $Page1 - because cookie value was overwritten)
  8. when foo.com receives this request it looks up the wrong HttpSession instance (because JSESSIONID key is $Page2 and NOT $Page1). Foobar!

以上情况会发生吗?我想是这样,但希望能得到确认。

Can the above happen? I think so, but would appreciate a confirmation.

如果上述显然可行,鉴于
我们希望支持多个iframe,有什么解决方案?每页?我们不需要
的iframe来共享相同的HttpSession,尽管
会很好。如果该解决方案仍会为每个iframe规定
个单独的HttpSession,则-当然-强制
iframe 1最终不会引用iframe 2
的httpSession状态,而不是自己的

If the above is clearly possible, what are some solutions given that we'd like to support multiple iframes per page? We don't have a firm need for the iframes to share the same HttpSession, though that would be nice. In the event that the solution will still stipulate a separate HttpSession per iframe, it is - of course - mandatory that iframe 1 does not end up referencing httpSession state for iframe 2 instead of own.

我能想到的地方:


  1. 地图第1页和page2到不同的域(操作开销)

  2. 使用URL重写,从不使用cookie(提高分析效率)

  3. 还有其他内容吗?

非常感谢,
-nikita

thanks a lot, -nikita

推荐答案

TL; DR 该方案正确,一个会话覆盖另一个会话,并且两个页面共享该会话;

TL;DR The scenario is correct and one session overrides the other and both pages share the session; but it doesn't matter.

在上面的示例中,您有两个几乎同时的无状态匿名请求。

In the example above, you have two near-simultaneous stateless anonymous requests.

换句话说,请求完全没有唯一性;将返回两个通用页面。这两个页面都将具有新的JSESSIONID,这不是因为种族,而是因为请求本身是匿名的,因此本质上要求Tomcat创建新的会话。

In other words, there is absolutely nothing unique about the request; two generic pages will be return. Both these pages would have new JSESSIONIDs not because of the race, but because the requests themselves are anonymous and therefore essentially ask Tomcat to create new sessions.

让我们假设page2赢了JSESSIONID速度竞赛,浏览器现在有了page2 cookie。然后,用户单击page1中的一个动作。我认为您的请求将带有page2 cookie标签是正确的。

Lets assume that page2 won the JSESSIONID speed contest and the browser now has the page2 cookie. Then the user clicks on an action in page1. I think you're correct that the request will come labelled with the page2 cookie.

那又如何呢?

Page1中不能包含任何与会话相关的信息它,因此没有用户特定的信息。因此,来自它的操作可以不具有与会话相关的状态(该状态刚刚创建)。如果没有与会话相关的特定状态,那么JSESSIONID错就不会有问题。

Page1 cannot have any session-related information in it, and therefore no user-specific information. The actions from it can therefore have no session-related state (the state was just created). If there is no specific session-related state, then there is no issue with it coming with the 'wrong' JSESSIONID.

以另一种方式查看它:如果请求对于page2,在请求page1之前已经对其进行了完全处理,那么page1会有什么不同?我看不出任何差异。如果在两种情况下返回的HTML没有区别,则交换其JSESSIONID没关系。

Looking at it in another way: If the request for page2 had been completely processed before the request for page1, in what way would page1 be different? I can't see any differences. If there are no differences in the returned HTML in the two scenarios, then it doesn't matter its JSESSIONID is swapped.

OTOH,如果用户已经访问过bar.com,则对page1和page2的请求都将与同一个JSESSIONID关联,返回的页面是正确的

OTOH, if the user has already visited bar.com, then the requests for both page1 and page2 will be associated with the same JSESSIONID, the pages that are returned are correct and all is good in the world of foo.com.

一个问题:如果您有 CSRF 保护已打开。 CSRF库会修改返回页面中的所有URL,以包含一个额外的参数。 CSRF保护库检查所有传入请求的安全令牌是否与JSESSIONID匹配。如果page1使用cookie作为page2,则CSRF保护会拒绝伪造的请求。

One issue: If you have CSRF protection switched on. CSRF libraries modify all URLs in the returned page to include an extra parameter. The CSRF protection library checks all incoming requests that their security token matches the JSESSIONID. If page1 uses the cookie for page2, the CSRF protection would reject the request as forged.

如果每个iframe必须有一个会话:使用URL重写。它最初是为在浏览器不接受Cookie时管理会话而设计的。效果很好,但网址看起来很讨厌。

If you have to have one session per iframe: Use URL rewriting. This was originally designed for managing sessions when the browser doesn't accept cookies. It works well but the URLs look nasty.

这篇关于每页多个有状态iframe是否会覆盖JSESSIONID?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆