java - httponly cookie 启用了与 servlet 的通信错误小程序

Question

在启用了 HTTPOnlyCookies 设置的 Websphere 6.1.0.31 下运行的应用程序存在问题。问题在于通过 HttpURLConnection 与 Servlet 建立连接的 Applet。Applet 通过参数从 JSP 页面传递 JSESSION ID。在 HttpURLConnect 调用中，我们设置 Cookie 标头并包含 JSESSION ID。Servlet 不使用传递的 cookie 并将创建一个新会话并导致错误。禁用 HTTPOnlyCookies 后，它可以正常工作而不会出现任何错误。设置为 (com.ibm.ws.webcontainer.HTTPOnlyCookies=*)。

下面是更改的代码，以显示我们如何执行此任务。我只更改了代码以删除与项目相关的任何信息，因为这是在生产软件中。

    // The Applet
    public class TheApplet extends JApplet {
        private String servletURL;
        private String sessionId;

        public void init() {
            this.sessionId = getParameter(SESSION_ID_PARAM);
            this.servletURL = "https://THEURL/CONTEXT/TheServlet.do?params=params";
        }

        public void start () {
            Thread t = new Thread(new Runnable() {
                public void run() {
                    HttpClient httpClient = new HttpClient(this.servletURL, this.sessionId);
                    Map theMap = httpClient.getData();
                }
            });
            t.start();
        }
    }

    public class HttpClient {
        public Map getData() {
            ObjectInputStream ois = doGet(this.servletURL, this.sessionId);

            /*
            ... Process return .. error happens before processing
            */
        }

        private ObjectInputStream doGet(String servletURL, String sessionId) {
            URL url = new URL(servletURL);
            HttpURLConnection httpConn = (HttpURLConnection)url.openConnection();
            httpConn.setDoInput (true);
            httpConn.setDoOutput (true);
            httpConn.setRequestProperty("Cookie", "JSESSIONID="+sessionId);
            httpConn.setUseCaches (true);

            return new ObjectInputStream (httpConn.getInputStream ());
        }
    }


    // The Servlet
    // Struts 1.2.9
    import org.apache.struts.actions.DispatchAction;
    public class TheServletAction extends DispatchAction {
        public ActionForward performGetData(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) {
            Map theMap = new HashMap();
            /*
            ... db call and build Map
            */
            TheResponseWriter.writeObjectIntoResponse(theMap, response);
        }
    }

    public class TheResponseWriter {
        public static void writeObjectIntoResponse(Object oObjToWrite, HttpServletResponse response) {
            ServletOutputStream out = response.getOutputStream();
            ObjectOutputStream oos = new ObjectOutputStream(out);
            response.setContentType("application/octet-stream");
            oos.writeObject(oObjToWrite);
            oos.flush();
            oss.close();
            out.close();
        }
    }

下面是我在小程序的 Java 控制台跟踪文件中看到的错误。再次只更改小信息，我还在 WASReqURL 中注意到它没有“主机名”

    network: Cache entry not found [url: https://THEURL/CONTEXT/TheServlet.do?params=params, version: null]
    network: Connecting https://THEURL/CONTEXT/TheServlet.do?params=params with proxy=DIRECT
    network: Connecting socket://THEURL:443 with proxy=DIRECT
    network: Server https://THEURL/CONTEXT/TheServlet.do?params=params requesting to set-cookie with "WASReqURL=https:///CONTEXT/TheServlet.do?params=params; HTTPOnly; Path=/"
    network: Cache entry not found [url: https://THEURL/CONTEXT/index.jsp, version: null]
    network: Connecting https://THEURL/CONTEXT/index.jsp with proxy=DIRECT
    network: Connecting socket://THEURL:443 with proxy=DIRECT
    network: Server https://THEURL/CONTEXT/index.jsp requesting to set-cookie with "JSESSIONID=; HTTPOnly; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Domain=THEURL"
    network: Server https://THEURL/CONTEXT/index.jsp requesting to set-cookie with "JSESSIONID=dfdsfdsafds3q32-sad9287287:163bb19cr; HTTPOnly; Path=/"
    - Wed Dec 14 09:05:58 EST 2011 - ERROR - Thread-8 - com.the.package.HttpClient - java.io.StreamCorruptedException: invalid stream header: 0A0A0A0A

感谢您的帮助，请让我知道您可能需要帮助的任何进一步信息。我根本找不到任何有帮助的东西。

_添加更多细节

在生产中，该行 (httpConn.setRequestProperty("Cookie", "JSESSIONID="+sessionId); ) 甚至不存在，并且该过程运行良好。但是我们的客户想要在他们的 Websphere 上启用 httpOnly 设置，但是遇到了无法正常工作的小程序。我可能已经找到了通过会话不起作用的原因。在查看 cookie 标头时，我注意到标头中的 JSESSIONID 与设置为小程序参数的不同。调查后我发现了有关集群环境的 JSESSIONID 格式的信息。https://www.ibm.com/developerworks/mydeveloperworks/blogs/Dougclectica/entry/websphere_session_ids22?lang=en，即CacheID+SessionID+:+CloneID。我正在尝试找出如何在 JSP 页面中获取这些值。