在 Java servlet 中，cookie.getMaxAge() 总是返回 -1 [英] In Java servlet, cookie.getMaxAge() always returns -1

问题描述

如果我在未来使用 setMaxAge() 设置 cookie，当我在后续请求中将 cookie 读回内存时，getMaxAge() 会返回 -1.我已经通过 Chrome 的设置和检查器检查了实际的 cookie，我可以验证过期日期确实设置在未来 60 天.

If I set a cookie with a setMaxAge() well into the future, when I read the cookie back into memory in a subsequent request, the getMaxAge() gives me back a -1. I have checked the actual cookie via Chrome's settings, and inspector, and I can verify that the expiration date is indeed set 60 days in the future.

static public void setHttpCookie(HttpServletResponse response, String payload) {
    Cookie c = new Cookie(COOKIE_NAME, payload);
    c.setMaxAge(60*86400); // expire sixty days in the future
    c.setPath("/"); // this cookie is good everywhere on the site
    response.addCookie(c);
}

static public String checkForCookie(HttpServletRequest req) {
    Cookie[] cookies = req.getCookies();
    if ( cookies != null ) {
        for ( Cookie c : cookies ) {
            if ( COOKIE_NAME.equals(c.getName()) ) {
                int maxAge = c.getMaxAge();
                logger.debug("Read back cookie and it had maxAge of {}.", maxAge);
                String payload = c.getValue();
                return payload;
            }
        }
    }
    return null;
}

为什么 c.getMaxAge() 总是返回 -1?

Why does c.getMaxAge() always return -1?

推荐答案

浏览器不会回送路径和年龄等 cookie 属性.它只发回名称和值.如果最大年龄已过期，则浏览器无论如何都不会发送 cookie.如果请求 URI 未覆盖该路径，则浏览器无论如何都不会发送 cookie.

The browser does not send cookie attributes like path and age back. It only sends the name and the value back. If the max age is expired, then the browser won't send the cookie anyway. If the path is not covered by request URI, then the browser won't send the cookie anyway.

如果您确实需要在设置 cookie 之后确定 cookie 的年龄，那么您应该在设置 cookie 的那一刻自己记住它，例如在数据库表中，例如，与登录用户和 cookie 名称相关联.

If you really need to determine the cookie's age after you have set the cookie, then you should remember it yourself elsewhere at the moment you've set the cookie, such as in a database table, associated with the logged-in user and cookie name, for example.

这个问题与 Java/Servlets 无关.这就是 HTTP cookie 的指定方式.在其他 Web 编程语言中，您会遇到完全相同的问题.另请参阅维基百科的以下摘录(重点是我的).

This problem is unrelated to the Java/Servlets. It's just how HTTP cookie is specified. You'd have exactly the same problem in other web programming languages. See also the following extract from Wikipedia (emphasis mine).

除了名称-值对之外，服务器还可以设置这些 cookie 属性:cookie 域、路径、过期时间或最长期限、安全标志和 HttpOnly 标志.浏览器不会将 cookie 属性发送回服务器.他们只会发送 cookie 的名称-值对.浏览器使用 cookie 属性来确定何时删除 cookie、阻止 cookie 或是否向服务器发送 cookie(名称-值对).

Cookie attributes

Besides the name–value pair, servers can also set these cookie attributes: a cookie domain, a path, expiration time or maximum age, Secure flag and HttpOnly flag. Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.

你能做的最好的事情就是每次都提高 cookie 的最大年龄，例如登录.您可以通过再次设置完全相同的 cookie(尤其是完全相同的域/路径/名称)来轻松实现这一点.它将覆盖现有的 cookie.这通常是在所谓的记住我"中以这种方式完成的.饼干.

The best what you can possibly do is to bump the cookie's max age every time during e.g. login. You can easily achieve this by setting exactly the same cookie once more (especially exactly the same domain/path/name). It will overwrite the existing cookie. This is usually done that way on so-called "Remember me" cookies.

这篇关于在 Java servlet 中，cookie.getMaxAge() 总是返回 -1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！