大家好!我正在开发一个在 iFrame 中运行的 JAVA/JSF 应用程序。客户端在 iFrame 外部进行身份验证,然后重定向回包含 iFrame 内部应用程序的页面。如果客户端禁用了第 3 方 cookie,iFrame 将无法访问 cookie,并且永远不会看到 jsessionid。
我想做的是测试应用程序中的cookie,如果没有找到,则使用JS重定向到当前页面,并在末尾附加;jsessionid。我试过了,
;jsessionid=#{session.getId()}
看起来不错...但永远不会维持当前会话。然后,我向页面添加了
<h:form><h:commandButton/></h:form>
,关闭了 cookies,在浏览器中查看了该页面,发现表单上列出的 jsessionid 与 session.getId() 提供的不同。
我的问题是......我怎样才能获得正确的jsessionid,即表单的一部分?
谢谢!梅森
——更新——
我应该提到的是,这是在同一个域、网络服务器和应用程序上。 an 和同一页面的#{session.getId()} 会同时返回不同的jsessionid。
HI all! I am working on a JAVA/JSF app that runs within an iFrame. The client authenticates Outside of the iFrame, then redirects back to a page that contains the application inside of an iFrame. If the client has 3rd party cookies disabled, the iFrame will not be able to access the cookie, and it will never see the jsessionid.
What I would like to do is test for the cookie in the app, and if not found, redirect using JS to the current page, with ;jsessionid appended to the end. I tried that with
;jsessionid=#{session.getId()}
Which looked OK...but would never maintain the current session. I then added an
<h:form><h:commandButton/></h:form>
to the page, turned off cookies, viewed the page in a browser, and saw that the jsessionid listed on the form was different than the one provided by session.getId().
My question is this......how can I get the correct jsessionid, the one that would be part of the form?
Thanks! Mason
--Update--
I should mention that this is on the same domain, webserver, and application. an and the #{session.getId()} on the same page will return a different jsessionid at the same time.
发布评论
评论(1)
默认情况下,会话是域和上下文绑定的。您的问题表明 iframe 所服务的页面在不同域和/或上下文中运行。
如果 iframe 中的页面在不同的域中运行,那么您必须编写一个“本地”servlet,在
java.net.URLConnection
或 Apache HttpClient 并让 iframe 链接到该客户端。如果 iframe 中的页面在同一域但在不同的上下文中运行(并且在同一 Web 服务器上运行),那么您需要将服务器配置为在所有正在运行的 Web 应用程序之间共享相同的会话。如何做到这一点完全取决于相关服务器。如果是 Tomcat 或克隆/分叉,请检查 emptySessionPath 属性rel="nofollow noreferrer">HTTP 连接器。
Sessions are by default domain- and context bound. Your issue indicates that the page which the iframe is serving runs at a different domain and/or context.
If the page in the iframe runs at a different domain, then you'll have to write a "local" servlet which acts as a proxy with help of
java.net.URLConnection
or Apache HttpClient and let the iframe link to that instead.If the page in the iframe runs at same domain but at a different context (and runs at same webserver), then you need to configure the server to share the same session among all running webapps. How to do that exactly depends on the server in question. If it's Tomcat or a clone/fork, then check the
emptySessionPath
attribute of the HTTP connector.