Servlet的会话，而不饼干+ Ajax请求只返回JSON [英] Servlet session without cookies + ajax requests that only return JSON

问题描述

下面是我的情况，我有一个网站，我只是加载使用Apache HTTPD的话让Ajax POST请求给一个servlet仅返回JSON数据。该JSON数据然后被用于更新表等。

Here's my situation, I have a web site that I just load using Apache HTTPD that then makes Ajax POST requests to a servlet which returns only JSON data. That JSON data is then used to update tables, etc..

现在我想用户逻辑添加到我的网站，并且还保持servlet会话的个人用户提出的要求。

Now I want to add user logic to my site, and also maintain servlet sessions for requests made by individual users.

据我所知，servlet需要返回由以request.getSession（）第一次调用生成的会话ID，以便客户端可以为了添加这个SessionID的未来Ajax请求的servlet来知道哪些会在内存中使用。

I understand that the servlet needs to return the session id generated by the first call to request.getSession(), so that the client can add this sessionid to future Ajax requests in order for the servlet to know which session in memory to use.

我也明白，这个会话ID可被返回给客户端两种方式要么是使用Cookie（JESSIONID），或URL重写。

I also understand that the two ways that this session id can be returned to the client is either using cookies (JESSIONID) or URL Rewriting.

如果我不能使用URL重写，因为我只是返回JSON数据，是cookies我已经离开的唯一途径发送回会话ID的客户端？

If I can't use URL Rewriting, because I'm just returning JSON data, are cookies the only way I have left to send back the session id to the client?

此外，作为一个侧面的问题，目前我注意到有任何的从servlet我的HTTP响应没有JSESSIONID的cookie。有人建议，我认为这是在Tomcat7新的东西，而我不得不激活它们在全球context.xml中。这是否意味着，在默认情况下是没有会话处理，即使你拨打request.getSession（）？

Also, as a side question, currently I noticed that there is no JSESSIONID cookie in any of my HTTP responses from the servlet. Someone suggested to me that this was something new in Tomcat7 and that I had to activate them in the global context.xml. Does this mean that by default there is no session handling even if you make calls to request.getSession() ?

推荐答案

您已经正确地确定了两个三种方式处理被Tomcat支持的会话ID。还有第三种方法来跟踪会话，但只有当应用程序运行在SSL。在这种情况下，你可以配置Tomcat来使用SSL会话ID。

You have correctly identified two of the three ways of handling session IDs supported by Tomcat. There is a third way to track sessions but only if the application runs over SSL. In that case you can configure Tomcat to use the SSL session ID.

如果这个Servlet调用request（）则在Tomcat总是包含在响应中的会话ID。然而，这些Cookie在Tomcat 7的标记为仅Http默认起，这意味着它们是不可见的JavaScript（以防止XSS攻击试图窃取的cookie）。如果会话cookie必须是可见的脚本，那么你需要设置useHttpOnly =假无论是在Web应用程序的context.xml中（更改默认的只是文件）或$ CATALINA_BASE / conf / context.xml文件来改变默认设置为每一个Web应用程序。

If the Servlet calls request.getSession() then Tomcat always includes a session ID in the response. However, those cookies are marked as httpOnly by default in Tomcat 7 onwards which means they are not visible to javascript (to protect against XSS attacks that try to steal the cookie). If the session cookies need to be visible to script then you need to set useHttpOnly="false" in either the web application's context.xml (to change the default for just that file) or in $CATALINA_BASE/conf/context.xml to change the default setting for every web application.

这篇关于Servlet的会话，而不饼干+ Ajax请求只返回JSON的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！