会话 Cookie 和 IE 8
我最近构建了一个部署在 Tomcat 上的简单 Web 应用程序。该应用程序使用非常标准的基于会话的安全性,其中已登录的用户将获得一个会话。
会话在 Firefox 和 Chrome 中工作正常,但需要在 IE 的 URL 中使用 jsessionid(经过测试 7 和 8),设置为中等隐私。在 IE 8 中,我尝试覆盖 cookie 处理,设置“允许所有第 3 方 cookie”和“允许所有会话 cookie”——没有骰子。但是,当我在本地计算机上运行 Tomcat 时,IE 接受 cookie,并且会话工作得很好。
现在,我们来看看 HTTP 标头。
从 Chrome 中,登录用户
GET http://devl:8080/testing/ HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:14:40 GMT
GET http://devl:8080/testing/logout HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Referer: http://devl:8080/testing/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397
...
从 IE 8 获取会话,具有标准的中等级别安全性和隐私性 -
GET http://devl:8080/testing/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: devl:8080
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=192999F922D6E9C868314452726764BA; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:32:34 GMT
GET http://devl:8080/testing/logout HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://devl:8080/testing/;jsessionid=6371A83EFE39A46997544F9146AA5CEA
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: devl:8080
...
我认为这可能是 P3P,但在添加紧凑策略后,没有任何变化。这是标准的 Tomcat 会话,所以我真的很惊讶到目前为止我还没有找到其他有同样问题的人。有人有什么想法吗?
编辑 4/3/2010 -
抱歉,如果我没有说清楚 - 我已经尝试过 IE 的多个其他实例 - 同事在大厅等。
编辑 4/3/2010 -
我也尝试过转动提示输入所有 cookie,但我没有收到提示。使用 Fiddler 在“Set-Cookie”标头中设置域也没有什么区别。
I recently built a simple web-app deployed over Tomcat. The app uses pretty standard session based security where a user who has logged in is given a session.
Sessions work fine in Firefox and Chrome, but require the use of jsessionid in the URL for IE (tested 7 & 8), set to medium privacy. In IE 8, I tried to override cookie handling, setting "Allow all 3rd party cookies" and "Allow all session cookies"- no dice. However, when I run Tomcat on my local machine, IE accepts the cookie, and sessions work just fine.
And now, for the HTTP headers.
From Chrome, a logged in user gets a session
GET http://devl:8080/testing/ HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:14:40 GMT
GET http://devl:8080/testing/logout HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Referer: http://devl:8080/testing/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397
...
From IE 8, with standard medium level security and privacy-
GET http://devl:8080/testing/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: devl:8080
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=192999F922D6E9C868314452726764BA; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:32:34 GMT
GET http://devl:8080/testing/logout HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://devl:8080/testing/;jsessionid=6371A83EFE39A46997544F9146AA5CEA
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: devl:8080
...
I thought it might be P3P, but on adding a compact policy, nothing changes. This is the standard Tomcat session, so I'm really surprised I haven't been able to find other people with the same problem so far. Anyone have any ideas?
EDIT 4/3/2010 -
Sorry if I didn't make this clear- I've tried from multiple other instances of IE - co-workers down the hall, etc.
EDIT 4/3/2010 -
I've also tried turning on prompting for all cookies, but I don't get a prompt. Setting the domain in the "Set-Cookie" header using Fiddler didn't make a difference, either.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(11)
我遇到了这个确切的问题,挖掘了一段时间,发现了这个:
http:// forums.iis.net/p/1147938/1879164.aspx
表示其中包含下划线的域名会导致 Windows Server、tomcat 和 IE 出现问题,
不确定这是否可以解决您的问题(此时,您可能不在乎)但也许下一个出现的人可以从中获得一些价值。
I ran into this exact problem, dug around for a while, and found this:
http://forums.iis.net/p/1147938/1879164.aspx
which says that domain names that have underscores in them cause problems with Windows Server, tomcat and IE
not sure if this fixes your problem (and at this point, you probably don't care) but maybe the next person who comes along can gain some value from it.
问题:IE8 拒绝接受我构建的网站上的 cookie,但 Firefox 和 IE7 工作得很好,而且已经这样做了很长时间 - 这是稳定的代码。
解决方案(对我来说):我的服务器与客户端计算机位于不同的时区。愚蠢、白痴的 IE8 试图变得聪明,拒绝接受寿命为 20 分钟的 cookie(存储在本地客户端计算机中)。我的 PHP 代码直接来自教科书,因此:
但如果我将其更改为,它就可以正常工作,例如 -
这仍然给我带来了 20 分钟后 cookie 消失的问题,但至少我的用户现在可以使用我的网站使用IE8。我传递此信息以防对其他人有所帮助。
Problem: IE8 refused to accept cookies on a site I had built, but Firefox and IE7 worked just fine and had done so for ages - this was stable code.
Solution (for me): My server is in a different time zone to the client machine. The STUPID, IDIOTIC IE8 tries to be clever and refuses to accept cookies (stored in the local client machine) with a 20 minute life. My PHP code was straight from the text book, thus:
But it works fine if I change it to, for example -
This still leaves me with the problem of making the cookie die after 20 minutes, but at least my users can now use my website with IE8. I pass on this information in case it may help someone else.
您检查过服务器时间是否正确?
我最近也遇到过类似的问题,IE 无法正确接受 cookie。经过一番绞尽脑汁,结果发现是因为服务器和客户端计算机之间的时间差太大,导致 IE 拒绝接受 cookie。然而这是在 Apache 中。
Have you checked that the server time is correct?
I have had similar problems recently with IE not accepting cookies properly. After a lot of head scratching it turned out to be because the time difference between the server and client machines was so big that IE refused to accept the cookie. This was in Apache however.
尝试使用标准 HTTP 端口 (80)。我不止一次阅读过有关 IE 中隐私/安全的 URL 中的端口号问题,但目前似乎无法找到相关链接。
Try using the standard HTTP port (80). I've read about issues with port numbers in URLs regarding privacy/security in IE more than once but can't seem to find relevant links at this time.
我同意 Lexicore 的观点 - 来自网络服务器的 cookie 协议看起来是正确的,所以 IE 有点问题。如果我们更好地理解 IE 拒绝 cookie 的原因,就会更容易找出如何解决该问题。或者,请朋友在 IE 中为您访问该网站,以帮助确认这是服务器问题而不是浏览器实例问题。
这里有一些需要检查的事情,以帮助使用 IE 和 cookies 进行调试 - 不幸的是,有很多选项需要检查。抱歉,如果其中一些项目看起来很基本 - 我只是不想做出任何假设。为此,我在 IE 8.0 中进行了跟踪。
首先,在 IE 中浏览到目标站点 (http://devl:8080/testing/)。然后:
确认 IE 将 'http://devl:8080/testing/' 分类为哪个区域。 (这可以解释为什么它可以与本地计算机上的 Tomcat 一起使用。)该区域显示在浏览器的底部栏中,并且很可能显示“Internet”。如果它显示“本地 Intranet”、“受信任的站点”或“受限制的站点”,则这可能是问题的一部分,您应该更新您的问题或弄清楚为什么它不被归类为 Internet。
双击底部栏中的区域指示器(可能是“Internet”)以打开“安全”对话框。互联网的安全级别是否设置为中高?如果不是,这可能是问题的一部分,您可能应该将其重置以匹配您的用户。
选择“Internet”区域,然后单击“自定义级别...”按钮以打开“安全设置”对话框。确认“用户数据持久性”选项设置为“启用”。 “用户数据持久性”选项位于“杂项”部分中选项列表的底部 1/4 部分(靠近下一部分“脚本”上方的部分底部)。
在每个对话框上单击“确定”以关闭它们。
在菜单栏上(如果未启用则启用),单击“工具”> “互联网选项”。选择“隐私”选项卡。我知道您提到您在此处尝试了一些操作,但如果您的网站不在 Internet 区域中或者您的网站位于“每网站隐私操作”例外列表中,那么这些更改可能不会影响您的网站,因此最好确认一下。< /p>
“隐私”选项卡中的隐私设置是否设置为“中”?如果没有,您可能需要重置为默认值。
单击“站点”按钮可打开“每站点隐私操作”对话框。您的 dev1 站点已列出吗?如果是这样,请将其删除。单击“确定”关闭该对话框。或者,您可以强制 dev1 站点始终允许 cookie。
单击“高级”按钮。是否选中“覆盖自动 cookie 处理”?如果是这样,您可能需要取消选中它以匹配您的用户。或者,尝试选中它并选中“始终允许会话 cookie”。
在每个对话框上单击“确定”以关闭它们。
确认浏览器仍在目标站点('http://devl:8080/testing/ ')。点击“查看”> “网页隐私政策...”查看隐私报告对话框。该列表是否包含“http://dev1:8080/testing/”? Cookie 列是否指示“http://dev1:8080/testing/”“已接受”?< /p>
从列表中选择“http://dev1:8080/testing/”。单击摘要查看隐私政策。如果为您的网站设置了一项,您应该在此处看到它。否则,您应该会收到一条消息,指出未找到隐私策略。查看对话框底部,了解如何将站点设置为使用 Cookie(比较、始终允许或从不允许)。
希望这对您有所帮助或给您一些可以追求的想法。
参考:
I agree with Lexicore - the cookie protocol from the web server looks right, so there's something with IE. It would be easier to figure out how to address the issue if we understood better why IE is rejecting the cookie. Alternatively, ask a friend to hit the site for you in IE to help confirm its a server issue not a browser instance issue.
Here is some things to check to help debug with IE and cookies - unfortunately, there's a mess of options to check. Sorry if some of these items seem basic - I just don't wnat to make any assumptions. I'm following along in IE 8.0 for this.
First, browse to the target site (http://devl:8080/testing/) in IE. Then:
Confirm what zone IE classifies 'http://devl:8080/testing/'. (This could explain why its works with Tomcat on your local machine.) The zone is displayed in the bottom bar of the browser and it most likely says "Internet". If it instead says "Local intranet", "Trusted Site", or "Restricted Site", this may be part of the problem and you should update your question or figure out why it isn't classified as Internet.
Double-click on the zone indicator in the bottom bar (presumably "Internet") to open the Security dialog. Is the Security Level for Internet set to Medium-high? If it isn't, this could be part of the problem and you should probably reset it back to match your users.
Select the "Internet" zone and then click the "Custom level ..." button to open the Security Settings dialog. Confirm the "Userdata persistence" option is set to "Enable". The "Userdata persistence" option is in the bottom 1/4 of the list of options in the "Miscenllaneous" section (near the bottom of the section just above the next section "Scripting").
Click OK on each dialog to close both of them.
On the menubar (enable it if it is not enabled), click "Tools" > "Internet Options". Select the "Privacy" tab. I know you mentioned you tried some things here, but those changes may not affect your site if your site is not in the Internet zone or if your site in the "Per Site Privacy Actions" exception list, so its best to just confirm.
Is the privacy setting in the Privacy tab set to Medium? If not, you may want to reset to default.
Click the "Sites" button to open the Per Site Privacy Actions dialog. Is your dev1 site listed? If so, remove it. Click OK to dismiss the dialog. Alternatively, you could force your dev1 site to always Allow cookies.
Click the "Advanced" button. Is "Override automatic cookie handling checked? If so, you might want to uncheck it to match your users. Alternatively, try checking it and checking "Always allow session cookies."
Click OK on each dialog to close both of them.
Confirm the browser is still at target site ('http://devl:8080/testing/'). Click "View" > "Webpage Privacy Policy..." to view the Privacy Report dialog. Does the list include "http://dev1:8080/testing/"? Does the Cookie column indicate "Accepted" for "http://dev1:8080/testing/"?
Select "http://dev1:8080/testing/" from the list. Click Summary to see the Privacy Policy. If set one for the your site, you should see it here. Otherwise, you should get a message that a privacy policy was not found. Look at the bottom of the dialog to see how the site is set to use cookies (compare, always allow, or never allow).
Hope this helps or gives you some ideas to pursue.
Ref:
这个有关 P3P 的论坛似乎相关.
另外,您是否考虑过设置会话 cookie 的域和到期日期?
This forum concerning P3P seems relevant.
Also have you considered setting your domain and expiration date for the session cookie?
这显然与 Tomcat 无关,因为正在设置 cookie - 只是不被 IE 接受。那么这一定是IE的安全问题。
也许这篇微软文章将有助于调整它。
This has clearly nothing to do with Tomcat, since the cookie is being set - just not accepted by the IE. This must be security issue in IE then.
Maybe this MS article would help to tune it.
dev1 站点属于哪个安全区域? IE 处理 cookie 和许多其他安全性的方式有所不同,具体取决于哪个区域(以及区域的配置方式)。
例如,尝试将 dev1 站点明确设置为受信任站点的一部分,看看会发生什么。
区域:
另外,cookie 是否必须限制在 /testing 路径中?尝试将其设置为 / 并查看是否有影响。
What security zone is the dev1 site part of? IE handles cookies and lots of other security differently depending on which zone (and how the zone is configured).
Try setting the dev1 site to explicitly be part of the Trusted Sites for example and see what happens.
Zones:
Also, does the cookie have to be restricted to the /testing path? Try setting it for / and see if that makes a difference.
我会尝试使用服务器的完全限定主机名。 MSIE 将没有域的主机名视为位于“本地 Intranet”中,并以不同的方式处理安全性。
具体来说,而不是:
尝试使用类似的东西:
I would try using the fully qualified hostname of the server. MSIE treats hostname without domains as being in the "Local intranet" and handles security differently.
Specifically, instead of:
Try using something like:
从您所说的情况来看,您只在 IE 中遇到过此问题,并且只在办公室的计算机上使用过。 IT部门是否在所有办公室计算机上安装了某种“安全套件”?如果有,您可以暂时禁用它吗?通常,这些类型的应用程序会挂接到 IE 中并破坏其 HTTP 堆栈。如果您确实安装了类似的软件,您是否有“全新”安装或可以测试的非公司计算机?
It seems from what you're saying that you've only seen this issue in IE and only using computers in your office. Is there any sort of "security suite" installed by IT on all office computers, and if so, can you temporarily disable it? Oftentimes, these types of applications hook into IE and muck with its HTTP stack. If you do have software like that installed, do you have a "clean" installation or non-company computer you can test with?
我们服务器上的时间偏差了 14 分钟(且处于正确的时区 EST)。
一旦我们将服务器上的时间设置为正确的时间,cookies 就会再次开始工作。
埃德
The time on our servers were off by 14 minutes (and in the correct time zone EST).
Once we set the time on the server to the correct time cookies starting working again.
Ed