Cookie 与 jsessionid url 令牌优先级
Set-Cookie: VS jsessionid url token 优先级如何?
如果设置了 cookie,Apache Tomcat 似乎会忽略令牌。这样的行为是不是有点不方便呢?还是因为安全原因才这样?
这是 servlet 中请求的 url
....someParam=addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B'
,生成的 Session 的 ID 对应于 cookie 请求标头参数...
这意味着,它会搞砸请求的处理。例如Spring-mvc解析 将 someParam 值设置为 addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B' 并且它崩溃并出现异常...
how is it with Set-Cookie: VS jsessionid url token precedence ?
Apache Tomcat just seem to ignore the token if cookie is set. Isn't it a little inconvenient behavior ? Or is it like this because of security reasons ?
this is the url of the request in servlet
....someParam=addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B'
and ID of the resulting Session corresponds to the cookie request header param...
This means, that it screws up handling of the request. For instance Spring-mvc resolvessomeParam value to addFile;jsessionid=7A6ECCF009D4855821BCB45E0B744A7B' and it crashes with exception...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
根据 Servlet 2.4 规范,URL 重写是最低面值因此,对于接受 cookie 的客户端来说,URL 中的
jsessionid会被忽略,我对此并不感到惊讶。阅读第 7.1 节了解相关详细信息(即会话跟踪)。就您更新的问题而言(Spring MVC 相关),有很多文章/技术提到了如何通过剥离 URL 中的
;jsessionid来消除它们的过多负担使用过滤器或使用 mod_rewrite 关闭。在 google 上搜索“jsessionid in url”并阅读下面的链接。As per the Servlet 2.4 specification, URL re-writing is the lowest denomination of session tracking so I'm not surprised that
jsessionidin the URL is ignored for clients who are accepting cookies. Read the section 7.1 for relevant details (i.e. session tracking).As far as your updated question is concerned (Spring MVC related), there are a lot of articles/techniques out there which mention how to do away with the excessive baggage of
;jsessionidin your URL by stripping them off using a filter or by using mod_rewrite. Do a google search for "jsessionid in url" and read through the links which follow.