URL中出现JSESSIONID后,我的Web应用程序停止工作 [英] My web application stop working after JSESSIONID appear in URL
问题描述
我有一个运行在Apache Tomcat 7中并使用Struts2的Web应用程序.我的登录系统是通过在会话中放置一个User对象制成的:
I have a web application running in Apache Tomcat 7 and using Struts2. My login system is made by putting a User object in a session:
(请绕开"if"和"try"以明确说明.)
( bypassing "if" and "try" to be clear..)
UserService es = new UserService();
User user = es.login(username, password);
ActionContext.getContext().getSession().put("loggedUser", user);
然后,我尝试从Interceptor中的该会话中获取一个User对象.如果一切正常,则记录了某人.如果不是,请通过返回struts.xml中的Struts2全局结果捕获的"notLog"来进入登录页面:
And then, I try to get a User object from that session in a Interceptor. If ok, then someone is logged. If not, go to login page by returning "notLogged" that will be catch by Struts2 global-results in struts.xml :
public String intercept(ActionInvocation invocation) {
User loggedUser = (User)invocation.getInvocationContext().getSession().get("loggedUser");
if (loggedUser == null) {
return "notLogged";
}
try {
return invocation.invoke();
} catch ( Exception ignored ) {
return "notLogged";
}
}
struts.xml
struts.xml
<global-results>
<result name="notLogged">/index.jsp</result>
</global-results>
一切都很顺利,直到服务器管理员进行一些维护并且"jsessionid"开始出现在URL中.此后,我将无法再浏览系统(直到将ID复制并粘贴到我要访问的每个URL中.无法形成操作目标).我仍然可以登录,并且看到User对象仍在捕获中,但是如果没有该ID,我将无法前往任何目的地.
All was very well, until the server admin do some maintenance and the "jsessionid" starts to appear in URL. After this, I can't navigate my system anymore (until I copy and paste this ID in every URL I want to go. no way to form action destinations). I still be able to login and I see the User object still be catching, but I can't go to any destination without this ID.
我尝试了此操作: https://fralef.me/tomcat-disable-jsessionid-in-url.html ,然后在我的web.xml的 tracking-mode 标记中放入 COOKIE ,但是事情变得更糟了,因为现在我无法甚至登录.
I tried this: https://fralef.me/tomcat-disable-jsessionid-in-url.html, and put COOKIE in tracking-mode tag in my web.xml but the things goes worst because now I can't do even a login.
发生了什么,我该怎么做才能解决此问题并使系统恢复正常工作?
What was happened, what can I do to solve this and put my system back to work?
推荐答案
这显然是由Cookie路径不匹配引起的.
This is apparently caused by cookie path mismatch.
仅当请求URL路径与Cookie路径匹配时,浏览器才会发回Cookie.
Browser will only send back the cookie if the request URL path matches the cookie path, e.g.
cookie path : /abc
request path: /abc/xyz // match
request path: /xyz // no match
默认情况下,Tomcat将会话cookie路径设置为Web应用程序路径,这样就不会将cookie发送到其他Web应用程序.但是,在您的情况下,中间件会更改请求URL路径,因此浏览器会观察到其他路径,从而导致Cookie路径不匹配.
By default, Tomcat set the session cookie path as the web app path, so that the cookie will not be sent to other web apps. However, in your case, the middleware changes the request URL path, therefore the browser observes a different path, causing cookie path mismatch.
在大多数情况下,我建议将cookie路径设置为"/",以使其与对服务器的所有请求相匹配(假设Tomcat上只有一个应用程序)
In most cases, I'd recommend to set cookie path to "/", so that it matches all requests to the server (assuming there's only one app on Tomcat)
// context.xml
<Context sessionCookiePath="/">
这篇关于URL中出现JSESSIONID后,我的Web应用程序停止工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
