在HTTP和HTTPS之间切换时,JSessionID会被覆盖。如何解决? [英] JSessionID is overwritten when switching between HTTP and HTTPS. How to solve?
问题描述
我们有以下情况:
-
前往 http ://网站/并点击指向 http :// website / appX
的链接。检查Cookie是否显示带有secure = NO的JSessionID。
Go to http://website/ and click on a link to http://website/appX
Check that the cookie shows JSessionID with secure = NO.
打开另一个浏览器窗口或标签页,然后转到 https ://网站/,然后点击指向 https :// website / appY的链接。
检查cookie是否显示带有secure = YES的JSessionID。
Open another browser window or tab and go to https://website/ and click on a link to https://website/appY.
Check that the cookie shows JSessionID with secure = YES.
尝试与步骤1中创建的窗口/
Try to interact with the window/tab created in step 1. I'm getting a session expired...
如果我们重复这些步骤,但使用 https :// website / appX而不是 https :// website / appY,则JSessionID cookie保持为Secure = NO。
If we repeat the steps but use https://website/appX instead of https://website/appY in step2, then the JSessionID cookie remains with Secure=NO.
所有cookie都有JSessionId,最后添加jvmRoute。
All cookies have JSessionId with jvmRoute appended in the end.
-
我们正在使用:
Apache(2.2.3-43.el5_5.3)+ mod_jk(w /粘性会话)和负载均衡器配置到几个JBoss实例(v 4.3.0)。
Apache (2.2.3-43.el5_5.3) + mod_jk (w/ sticky sessions) and load balancer configured to several JBoss instances (v 4.3.0).
我发现只有一个链接与完全相同的问题(通常其他人都使用PHP):
http://threebit.net/mail-archive/tomcat-users/msg17687.html
I have found only a link with the exact same issue (normally the other ones are using PHP): http://threebit.net/mail-archive/tomcat-users/msg17687.html
问:我们如何
推荐答案
在deploy / jboss中,在连接器配置(对于JBoss中的Tomcat捆绑版本) web.deployer / server.xml,有一个 emptySessionPath 属性,用于控制是否在上下文路径上设置会话cookie。
In the connector configuration (for Tomcat's bundled version in JBoss) in deploy/jboss-web.deployer/server.xml, there's an emptySessionPath attribute that controls whether the session cookie is set on the context path or not.
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
如果将此值设置为false,则每个应用程序都有一个cookie,
If you set this to false, you'll have one cookie per application, which prevents the problem from happening.
这篇关于在HTTP和HTTPS之间切换时,JSessionID会被覆盖。如何解决?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
