JSESSIONID 存储在哪里?(JavaEE) [英] Where is JSESSIONID stored? (JavaEE)

问题描述

我有两个应用程序 - Java EE Web 应用程序和 Java SE 小程序.我想通过 JSESSIONID(由 Web 应用程序创建)对小程序中的用户进行身份验证.

I have two applications - A Java EE web application and a Java SE applet. I want to authenticate a user in the applet by means of a JSESSIONID (which is created by the web application).

所以有一个问题——如何将这个 JSESSIONID 与特定用户相关联?

So there is a problem - how to associate this JSESSIONID with a particular user?

如何检查(在 Web 服务器应用程序端)这样的 JSESSIONID 代表哪个用户?在小程序中，我将从 cookie 中读取它，然后我想编写一个简单的 Servlet，它将接受此 JSESSIONID 作为 POST 消息.此后，当 JSESSIONID 不好时，我想在响应中什么也不写，如果 JSESSIONID 好(即代表某人)，则用户信息.

How to check (on the web server application side) which user is represented by such JSESSIONID? In the applet I will be reading it from a cookie, and then I want to write a simple Servlet which will accept this JSESSIONID as a POST message. Thereafter I would like to write in the response nothing at all when the JSESSIONID is bad, and the user info if JSESSIONID is good (i.e. is representing someone).

有人知道怎么做吗?

推荐答案

JSESSIONID 是一种您通常不应该关心的低级机制.在服务器端，servlet 容器透明地将 JSESSIONID 转换为 servlet 中可用的 HttpSession 对象.会话 ID 也使用 Cookie 标头或 URL 重写透明地传递给服务器.

JSESSIONID is a low-level mechanism that you typically shouldn't care about. On the server side the servlet container transparently translates JSESSIONID to an HttpSession object available in the servlet. The session id is passed to the server transparently as well using Cookie header or URL rewriting.

因此，如果您在网页中单击链接或发布普通表单，浏览器会自动传递 JSESSIONID cookie 或将其附加到 URL.

So if you are clicking on a link or posting an ordinary form in a webpage, the browser automatically passes JSESSIONID cookie or attaches it to URL.

您的设计有一个主要缺陷:安全的 servlet 容器应该将 HttpOnly 属性添加到 JSESSIONID cookie(请参阅:你如何在 tomcat/java webapps 中配置 HttpOnly cookie?)这是为了防止 JavaScript 出于安全原因读取 JSESSIONID cookie - 比如劫持用户会话.您的小程序甚至可能看不到那个 cookie！

Your design has a major flaw: secure servlet containers should add HttpOnly attribute to JSESSIONID cookie (see: How do you configure HttpOnly cookies in tomcat / java webapps?) This is to prevent JavaScript from reading JSESSIONID cookie for security reasons - like hijacking user session. Your applet might not even see that cookie!

我不太了解applets，但我建议您以某种方式通过网络浏览器执行 HTTP 请求，以便自动处理安全标识 (cookie).

I don't know much about applets, but I would advice you to perform HTTP request via web browser somehow so the security identification (cookie) is handled automatically.

这篇关于JSESSIONID 存储在哪里?(JavaEE)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！