2

I have added the following configuration in my webapp application web.xml 

  <session-config>
    <cookie-config>
      <path>/</path>
      <http-only>true</http-only>
      <secure>true</secure>
    </cookie-config>
 </session-config>

When I start my application, I send an http request to set this cookie and I can see it in the http response with path /, Secure and httpOnly.

However, I can't see this cookie being sent inside the following http requests and hence, if I do request.getSession().getId() for the following requests, I get an empty string.

I tried adding the following to my tomcat 8.5 context and also the WAR context

<Context sessionCookiePath="/">

but it did not fix the issue.

Does that mean that the JSESSIONID cookie is not being secure and hence ignored to be sent within the requests?

4

1 回答 1

4

根据您的评论,您将会话 cookiesecure属性设置为true,使用http连接进行传输。

虽然http使用的协议不保证机密传输,但您可以通过激活该secure属性正确指示会话是敏感信息。因此,浏览器拒绝通过不安全的纯文本传输将此信息发送回服务器http

阅读此 Q/A 以了解更多详细信息:cookie“安全”标志如何工作?

由于 JSESSIONID 永远不会发送回服务器,因此每个请求最终都会创建一个新会话,该会话永远不会用于后续请求。

解决方案是禁用该secure属性,或者最好在 tomcat 中配置和使用https连接器。

您还应该将您的应用程序配置为仅接受 https连接并重定向httphttps.

于 2019-03-27T20:31:16.753 回答