Cookie与jsessionid url令牌优先级 [英] Cookie vs jsessionid url token precedence

问题描述

如何使用 Set-Cookie：VS jsessionid url token 优先级？

Apache Tomcat似乎只是如果设置了cookie，则忽略该令牌。是不是有点不方便的行为？或者是因为安全原因这样吗？

Apache Tomcat just seem to ignore the token if cookie is set. Isn't it a little inconvenient behavior ? Or is it like this because of security reasons ?

这是servlet中请求的url

this is the url of the request in servlet

....someParam=addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B'

和生成的Session的ID对应于cookie请求标头参数...

and ID of the resulting Session corresponds to the cookie request header param...

这意味着它会搞砸请求的处理。例如，Spring-mvc将
someParam 的值解析为 addFile; jsessionid = 7A6ECCF009D4855821BCB45E0B744A7B'并且它会因异常而崩溃...

This means, that it screws up handling of the request. For instance Spring-mvc resolves someParam value to addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B' and it crashes with exception...

推荐答案

根据 Servlet 2.4规范，URL重写是会话跟踪的最低面额所以我并不感到惊讶 jsessionid

As per the Servlet 2.4 specification, URL re-writing is the lowest denomination of session tracking so I'm not surprised that jsessionid in the URL is ignored for clients who are accepting cookies. Read the section 7.1 for relevant details (i.e. session tracking).

就您更新的问题而言（Spring MVC相关），有很多文章/技巧在那里提到如何通过使用过滤器或使用mod_rewrite剥离它们来解决你的URL中的; jsessionid 过多的行李。谷歌搜索jsessionid in url并阅读随后的链接。

As far as your updated question is concerned (Spring MVC related), there are a lot of articles/techniques out there which mention how to do away with the excessive baggage of ;jsessionid in your URL by stripping them off using a filter or by using mod_rewrite. Do a google search for "jsessionid in url" and read through the links which follow.

这篇关于Cookie与jsessionid url令牌优先级的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！