Apache Tomcat 7在每个请求上更改JSESSIONID [英] Apache Tomcat 7 Changing JSESSIONID on Every Request

问题描述

这个问题让我感到疯狂，所以也许有人可以帮我理解问题所在。我有一个tomcat web应用程序正面向HAProxy。 HAProxy也在进行SSL卸载，并配置为使用粘性会话。我正在使用Tomcat的会话复制功能，似乎工作正常。会话出现在两个appservers上。

This issue is driving me insane, so maybe someone could help me understand what the issue is. I have a tomcat web application being fronted by HAProxy. HAProxy is also doing SSL offloading, and is configured to use sticky sessions. I am using Tomcat's session replication feature which seems to be working just fine. The sessions appear on both appservers.

出于某种原因，Tomcat为每个Web请求生成一个新的JSESSIONID，然后将旧会话的内容复制到新的会话。也就是说，我的会话内容仍然在新会话中，但会生成一个新ID并将其发送回客户端。但它只对我的Web应用程序执行此操作。它不会对/ manager应用程序执行此操作。

For some reason, Tomcat is generating a new JSESSIONID for every single web request, and then copying the contents of the old session into the new session. That is to say, my session contents are still there within the new session, but a new ID is generated and sent back to the client. But it only does this for my web application. It does not do this for the /manager application.

我已经尝试了本书中的每一个技巧，例如在我的context.xml中设置它：

I have tried every trick in the book, such as setting this in my context.xml:

<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" />

在我的Context元素上设置这些属性：

And setting these attributes on my Context element:

<Context path="/myapp" reloadable="false" override="true" useNaming="false" allowLinking="true" useHttpOnly="false" sessionCookiePath="/" sessionCookiePathUsesTrailingSlash="false">

但结果仍然相同。 Tomcat为每个请求生成一个新的会话ID，并将旧会话的内容复制到新的id。

And still, the result is the same. Tomcat generates a new session id with every request and copies the contents of the old session into the new id.

我怀疑它与HAProxy有关，除了/ manager应用程序也支持HAProxy，它不会出现这种情况。

I would suspect it had something to do with HAProxy, except that the /manager application is also behind HAProxy and it does not exhibit this behavior.

为什么Tomcat会这样做，我该怎么做才能阻止它呢？

Why is Tomcat doing this, and what can I do to prevent it?

推荐答案

原来这是由Spring Security引起的。我们使用的是Spring Security 3.1x，默认情况下它会将经过身份验证的凭据存储在用户的会话中。并且为了对抗会话固定攻击，它会自动将用户会话的内容复制到新的会话ID并使旧会话无效。

Turns out that it was cause by Spring Security. We are using Spring Security 3.1x, and by default it stores the authenticated credentials in the user's session. And to counter session fixation attacks, it automatically copies the contents of the user's session to a new session id and invalidates the old session.

修复是将以下内容添加到安全配置中的http元素，因为我们不需要在我们的应用程序中使用会话：

The fix was to add the following to the http element in the security configuration, since we don't need to use the session in our application:

create-session="stateless"

希望这有助于其他人下线。

Hopefully this helps someone else down the line.

这篇关于Apache Tomcat 7在每个请求上更改JSESSIONID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！