HTTPS登录不会将Cookie中的JSESSIONID保存 [英] HTTPS login not saving the JSESSIONID in a cookie
问题描述
我们最近更改了登录信息以使用HTTPS,并且遇到登录问题。
登录后,用户被重定向到未加密页。当它到达此页面时,站点检查用户是否登录。它创建一个新会话,并且看起来用户未登录,因此我们的用户被重定向到登录页面。如果用户再次登录,它将工作。
Cookie不设置为仅https,但似乎它们不工作在http页面。 / p>
有人知道为什么会发生这种情况。
编辑 >
我应该提到显示登录的页面位于不同的URL。 (有一个登录页面从运行tomcat实例的机器,但营销网站是在wordpress安装并使用不同的域)。
我无法使用
我们使用HTTP请求方法来设置Cookie,因为默认的Internet Explorer设置会阻止会话Cookie被保存。有我们的应用程序这个问题。我们想要一个类似的行为,通过https登录,然后重定向到一个http页面。
问题是当Tomcat创建https下的会话时,它创建一个安全的cookie它不能在http中读取。请注意,这继续在Tomcat中被提交为一个错误,并被标记为不是错误。
我们最终得到的解决方案是基于此论坛中的消息
http://forum.java.sun.com/ thread.jspa?threadID = 197150& start = 0
引用来自论坛主题:一种在Tomcat中维护会话的方法,在SSL模式下创建是通过创建非安全cookie欺骗浏览器,当安全cookie正在创建。这是通过包装请求并覆盖request.getSession()的过滤器来实现的。
另一方面,从https重定向到http页面会弹出一个警告消息在一些版本的Internet Explorer你是在被重定向到不安全的连接。我们发现避免这种情况的唯一方法是使用元刷新标记完成重定向。具体来说,从原始https请求中返回一个空白页,并使用元标记刷新到http网页。这避免了警告消息,代价略微更复杂。
(我只是注意到一些建议在这里是重复早先的答案 - 我道歉,但会发布,因为它是从直接的经验)。
编辑:我看到在你的评论你有两个域,这使得使用cookie复杂化。您可以使用代理服务器或Web服务器(如Apache)向最终用户提供一个域吗?
We recently changed our login to use HTTPS, and we are experiencing issues with the login.
After the login, the user is redirected to an unencrypted (HTTP) page. When it reaches this page, the site checks if the user is logged in. It creates a new session and it appears that the user is not logged in, and thus our user is redirected to the login page. If the user logs in again, it will work.
The cookies are not set as https-only, but it seems like they don't work on http pages.
Does anyone know why this might be happening.
Edit:
I should have mentioned that the page that displays the login is on a different URL. (There is a login page from the machine running the tomcat instance, but the marketing site is on a wordpress install and uses a different domain).
I can't use the HTTP request first method to set the cookie, because the default Internet Explorer settings prevent the session cookie from being saved.
We have this problem with our app. We wanted a similar behavior of logging in via https, then redirecting to an http page.
The issue is that when Tomcat creates the session under https, it creates a secure cookie which can't be read in http. Note that this keeps getting filed as a bug in Tomcat and getting marked as "not a bug".
The solution we ended up is based on the message in this forum http://forum.java.sun.com/thread.jspa?threadID=197150&start=0
Quoting from the forum thread: "One way to maintain the session in Tomcat, when the session cookie is getting created in SSL mode is to trick the browser by creating the non-secure cookie, when the secure cookie is getting created." This is accomplished via a filter that wraps the request and overrides request.getSession(). It's worked very well for us.
As a side note, redirecting from an https to http page will pop up a warning message in some versions of Internet Explorer "You are about to be redirected to a connection that is not secure." The only way we found to avoid this is to have the redirection be done with a meta refresh tag. Specifically, return a blank page from the original https request with a meta tag that refreshes to an http page. This avoids the warning message at the expense of making the code slightly more convoluted.
(I just noticed some of the advice here is a repeat of an earlier answer -- I apologize, but will post anyways since it is from direct experience).
Edit: I see in your comments you have two domains, which complicates the use of cookies. Can you use a proxy or web server such as Apache to present just one domain to the end users?
这篇关于HTTPS登录不会将Cookie中的JSESSIONID保存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
