无效的会话cookie没有失效或被替换?
在 ASP.NET 中,我遇到了一种奇怪的情况,每次用户代理刷新页面时都会触发 Session_Start 。由于会话应该已经启动,我无法理解为什么(这台机器)在每次点击页面时都会触发 Session_Start 。
浏览器发送 cookie 作为 HTTP 请求的一部分:
GET http://example.com/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
...
Cookie: ASP.NET_SessionId=zsdntozy30cwvirc3lpnxh55
该 cookie 存在于 http request 标头中,但它导致创建新会话。但令人抓狂的是,新的 Cookie 并未发送到客户端(通过 Set-Cookie 响应标头)。
我假设如果会话cookieASP.NET_SessionId=zsdntozy30cwvirc3lpnxh55无效(例如由于应用程序池回收或Web服务器重新启动),则服务器应该设置一个新的cookie。
为了测试这个,我制作了一个特殊的http请求,带有明显无效的cookie:
GET http://example.com/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
...
Cookie: ASP.NET_SessionId=aaaaaaaaaaaaaaaaaaaaaaaa
果然,Session_Start事件发生,并且http响应不包含Set-Cookie header:
HTTP/1.1 200 OK
Server: ASP.NET Development Server/10.0.0.0
Date: Thu, 24 Mar 2011 23:45:50 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3710
Connection: Close
这是预期的行为吗?如果客户端的会话 cookie 不再有效,它们将被困在无人区,直到客户端浏览器确信销毁 cookie?
ASP.NET 是否可以选择将新会话 cookie 发送到客户端?毕竟,这是创建一个新会话 - 为什么不告诉客户呢?
如果服务器出现问题,用户必须删除所有 cookie,这是否是某种奇怪的安全功能?
In ASP.NET i was having a strange situation where Session_Start was being triggered every time the user-agent refreshed the page. Since a session should have already been started, i couldn't understand why (this one machine) was triggering a Session_Start every page hit.
The browser was sending a cookie as part of the HTTP request:
GET http://example.com/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
...
Cookie: ASP.NET_SessionId=zsdntozy30cwvirc3lpnxh55
The cookie was present in the http request header, yet it was causing a new session to be created. Maddeningly though, the new Cookie was not being sent to the client (through the Set-Cookie response header).
i assume that if the session cookie ASP.NET_SessionId=zsdntozy30cwvirc3lpnxh55 is not valid (e.g. due to an application pool recycle, or web-server restart) then the server should set a new cookie.
To test this i crafted a special http request, with an obviously invalid cookie:
GET http://example.com/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
...
Cookie: ASP.NET_SessionId=aaaaaaaaaaaaaaaaaaaaaaaa
Sure enough, the Session_Start event happens, and the http response contains no Set-Cookie header:
HTTP/1.1 200 OK
Server: ASP.NET Development Server/10.0.0.0
Date: Thu, 24 Mar 2011 23:45:50 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3710
Connection: Close
Is this intended behavior? If the client's session cookie is no longer valid, they'll be stuck in some no-mans land until the client browser is convinced to destroy the cookie?
Is there an option for ASP.NET to sent the new session cookie to the client? It is, after all, creating a new session - why not tell the client about it?
Is this some bizarre security feature, where a user must delete all cookies if a server gets the hiccups?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论