Cookie maxAge始终为-1 [英] Cookie maxAge always -1
问题描述
我目前在JSF中实现自动登录机制。执行过滤器以拦截每个请求,并通过读取Cookie检查用户是否登录。
当用户首次登录时,在受管Bean中,cookie以这种方式保存:
HttpServletResponse response =(HttpServletResponse)FacesContext.getCurrentInstance()。getExternalContext()。getResponse
Cookie cookie = new Cookie(myCookieRef,value);
cookie.setPath(/);
cookie.setMaxAge(3600);
response.addCookie(cookie);
稍后如果用户执行重定向,在过滤器中,我使用以下代码检索cookie :
Cookie [] cookies = request.getCookies
if(cookies!= null)
{
(Cookie cookie:cookies)
{
if(name.equals(myCookieRef))
{
return cookie; request是HttpServletRequest对象。
}
}
}
$ b <
问题是返回的Cookie总是具有 -1 maxAge 和 null 值。
我不知道在添加cookie时是否错过任何内容,还是应该为cookie指定一些其他属性?
非常感谢。
客户端不会将名称和值以外的Cookie属性发送回服务器。 / p>
另请参见 RFC6265第4.2.2节(强调我的)。
4.2.2。语义
每个Cookie对表示用户代理存储的Cookie。
cookie对包含用户代理
在Set-Cookie头中接收的cookie名称和cookie值。
请注意,不返回Cookie属性。特别是,
当
cookie将过期时,服务器不能单独从Cookie头部确定,对于其主机cookie是有效的,对于
路径,cookie是有效的,或者cookie是否有效是用
Secure或HttpOnly属性设置的。
最大年龄是指定的。此外,如果它已经在客户端过期,则整个cookie只是不会从客户端发送到服务器。在服务器端,你通常只是通过简单地设置一个相同的名称/值的新的cookie和登录请求没有登录的用户,如果cookie存在与否,延长cookie的生命周期,而不是如果它是
如果最大年龄值对于其他原因非常重要,只需将其存储在某个数据库的侧面,以及唯一的Cookie标识符
对于 null 值,这表示您自己的代码中的问题,而不是Cookie 。此问题在目前提供的信息中不可见,但我确定如果您再次检查/调试它,您会发现一个简单的错误。
对于自动登录的具体功能要求,这可能是一个有用的阅读:如何实现保持登录当用户登录到Web应用程序时。
I am currently implementing "auto login" mechanism in JSF. A filter is implemented to intercept each request, and check if a user is logged in by reading cookies.
When a user first logs in, in the managed bean, the cookie is saved in this way:
HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
Cookie cookie = new Cookie("myCookieRef", value);
cookie.setPath("/");
cookie.setMaxAge(3600);
response.addCookie(cookie);
Later if the user performs a redirection, in the filter, I use the following code to retrieve the cookie:
Cookie[] cookies = request.getCookies();
if (cookies != null)
{
for (Cookie cookie : cookies)
{
if (name.equals("myCookieRef"))
{
return cookie;
}
}
}
request is the HttpServletRequest object.
The problem is the returned cookie always has a -1 maxAge and null value.
I don't know if I miss anything when adding the cookie, or should I specify some additional attributes for the cookie?
Many thanks.
Client doesn't send cookie attributes other than name and value back to server.
See also RFC6265 section 4.2.2 (emphasis mine).
4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The cookie-pair contains the cookie-name and cookie-value the user agent received in the Set-Cookie header.
Notice that the cookie attributes are not returned. In particular, the server cannot determine from the Cookie header alone when a cookie will expire, for which hosts the cookie is valid, for which paths the cookie is valid, or whether the cookie was set with the Secure or HttpOnly attributes.
Max age is behaving as specified. Moreover, if it has expired in client side, then the entire cookie just won't be sent from client to server. In server side, you usually just prolong the cookie's lifetime on every "auto-login" by simply setting a new cookie with same name/value and check in requests without logged-in user if the cookie is present or not, not if it is expired or not.
If the max age value is really important to you for other reasons, just store it in your side in some database along with the unique cookie identifier (the cookie value).
As to the null value, this indicates a problem in your own code not in the cookie. This problem is not visible in the information provided so far, but I'm sure if you check/debug it once again, you'll discover a simple mistake.
As to the concrete functional requirement of "auto login", this might be a helpful read: How to implement "Stay Logged In" when user login in to the web application.
这篇关于Cookie maxAge始终为-1的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
