为什么在启用Cookie时jsessionid会显示在Wicket网址中? [英] Why is jsessionid appearing in Wicket URLs when cookies are enabled?
问题描述
jsessionid ,而不是依赖于会话信息的cookie。 Cookie已成功设置,如果用户只是重新加载页面,则 jsessionid 不再附加到URL。您可以在此处进行测试: pixlshare.com 。将鼠标悬停在任何图片链接上将显示一个包含 jsessionid 的网址;重新载入网页, jsessionids 将被移除。
从之前使用 Wicket SEO页面我知道如何删除 jsessionid 到隐藏它从机器人,但使用这种技术为普通用户似乎是一个黑客。
这是发生在最近从Glassfish搬到Tomcat后,虽然我不能说确定这是原因。另外,我在Tomcat前面使用Apache的mod_proxy。
这里是发生什么:客户端请求页面的第一时间,不发送任何Cookie:
$ curl -v http://pixlshare.com/upload
服务器不知道有关基于此请求的客户端功能的任何信息,特别是它是否支持cookie。因此,为了更安全,它会在网址中发送两个 Cookie和 JSESSIONID 编码:
< Set-Cookie:JSESSIONID = 25E7A6C27095CA1F560BCB2983BED17C; Path = /; HttpOnly
...
< a wicket:id =image1Linkhref =gallery / OKfzVk; jsessionid = 25E7A6C27095CA1F560BCB2983BED17C>
换句话说,servlet容器防御性地附加 JSESSIONID
因此,为什么 JSESSIONID 会消失在每个网址上,第二个请求?因为现在客户端在HTTP请求中发送cookie,服务器知道客户端处理它们。也就是说, JSESSIONID 不再需要。
$ curl - v -b JSESSIONID = 25E7A6C27095CA1F560BCB2983BED17C http://pixlshare.com/upload
> Cookie:JSESSIONID = 25E7A6C27095CA1F560BCB2983BED17C
...
< a wicket:id =image1Linkhref =gallery / OKfzVk>
另一方面,如果客户端不支持cookie,服务器将继续重写URL。 p>
这不是一个Wicket问题,这是一个Tomcat功能。
BTW(来自您的网站JavaScript):
path = path.replace(/ ^ C:\\fakepath\\ \\\/一世, '');
什么是ake ?
I notice that the first time a user visits my site the Wicket-generated URLs contain a jsessionid, rather than relying on the cookie for session information.
The cookie does get set successfully, and if the user simply reloads the page, the jsessionid is no longer appended to the URLs. You can test this out here: pixlshare.com. Hovering over any of the image links will show a URL with a jsessionid; reload the page, and the jsessionids will be removed.
From previous experience with the Wicket SEO page I know how to remove the jsessionid to hide it from bots, but employing this technique for regular users seems like a hack. It will also break the site for those people paranoid enough to have cookies disabled.
This is happening after a recent move to Tomcat from Glassfish, though I can't say for certain that that's the cause. Also, I'm using Apache's mod_proxy in front of Tomcat.
Here's what happens: the client requests a page for the first time, sending no cookies at all:
$ curl -v http://pixlshare.com/upload
The server does not know anything about client capabilities based on this request, in particular whether it supports cookies or not. Hence, to be extra safe, it sends both cookie and JSESSIONID encoded in the URL:
< Set-Cookie: JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C; Path=/; HttpOnly
...
<a wicket:id="image1Link" href="gallery/OKfzVk;jsessionid=25E7A6C27095CA1F560BCB2983BED17C">
In other words the servlet container defensively appends JSESSIONID to every URL, just in case the client does not support cookies.
So why the JSESSIONID disappears on the second request? Because now the client sends the cookie in HTTP request and the server knows, that the client handles them. That being said, JSESSIONID is no longer needed.
$ curl -v -b JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C http://pixlshare.com/upload
> Cookie: JSESSIONID=25E7A6C27095CA1F560BCB2983BED17C
...
<a wicket:id="image1Link" href="gallery/OKfzVk">
On the other hand if the client does not support cookies, server will continue to rewrite URLs.
This is not a Wicket issue, this is a Tomcat feature.
BTW (from your website JavaScript):
path = path.replace(/^C:\\fakepath\\/i, '');
What the f...ake?
这篇关于为什么在启用Cookie时jsessionid会显示在Wicket网址中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
