Tomcat 7.1为来自同一客户端的每个请求创建新会话

Question

我正在使用Tomcat 7并尝试将某个对象存储到会话中，但每当有来自同一客户端的新请求时，它看起来像Tomcat正在创建新会话。

以下是我的代码，它基本上是一个过滤器，它正在调用另一个执行身份验证和授权并返回对象的应用程序。我使用Apache的HttpClient此通信

过滤等级

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 

    // If the request is for any static contents do not invoke this filter 
    if (!isWorthyRequest((HttpServletRequest)request)) { 
     chain.doFilter(request, response); 
     return; 
    } 

    HttpClient httpClient = null; 
    try { 
     if (validateApp && request instanceof HttpServletRequest) { 
      HttpServletRequest httpServletRequest = (HttpServletRequest)request; 
      HttpSession httpSession = httpServletRequest.getSession(false); 
      if (null != httpSession && null != httpSession.getAttribute("userInfoMap")) { 
       LOG.info(" User is already Authenticated :: session Id :: "+httpSession.getId() 
         +" Created At :: "+ new Date(httpSession.getCreationTime()) 
       +" Last Accessed At :: "+new Date(httpSession.getLastAccessedTime())); 
       // The user is already Authenticated & Authorize just pass the request to next chain 
      } else { 
       LOG.info("Calling Authenication/Authorization Module :: URL "+securityServiceURL); 
       // Calling Authentication and Authorization 
       httpClient = new DefaultHttpClient(); 
       HttpPost httpPost = new HttpPost(securityServiceURL); 
       // Getting the SM Header 
       httpPost.setHeader(IaasConstants.SM_USER, httpServletRequest.getHeader(IaasConstants.SM_USER)); 
       List<NameValuePair> urlParameters = new ArrayList<NameValuePair>(); 
       // urlParameters.add(new BasicNameValuePair(IaasConstants.SOURCE_APP_NAME, "vElite")); 
       urlParameters.add(new BasicNameValuePair(IaasConstants.SUB_SERVICE_NAME, IaasConstants.SERVICE_AUTHENTICATE_USER)); 
       httpPost.setEntity(new UrlEncodedFormEntity(urlParameters)); 
       HttpResponse httpResponse = httpClient.execute(httpPost); 
       HttpEntity httpEntity = httpResponse.getEntity(); 
       String jsonString = null; 
       if (null != httpEntity) { 
        jsonString = EntityUtils.toString(httpEntity); 
       } 
       HttpServletResponse httpServletResponse = (HttpServletResponse)response; 
       // User is a valid user 
       if (httpResponse.getStatusLine().getStatusCode() == HttpServletResponse.SC_OK) { 
        LOG.info(" User is valid :: user :: "+httpServletRequest.getHeader(IaasConstants.SM_USER)+" jsonObject :: "+jsonString); 
        if (null != jsonString) { 
         Gson gSon = new Gson(); 
         Type mapType = new TypeToken<Map<String, Object>>(){}.getType(); 
         Map<String, Object> userInfoMap = gSon.fromJson(jsonString, mapType); 
         httpSession = httpServletRequest.getSession(false); 
         if (null == httpSession) { 
          LOG.info("Session Created and the userInfoMap is stored inside session :: "); 
          httpSession = httpServletRequest.getSession(true); 
          httpSession.setAttribute(IaasConstants.USER_INFO_MAP, userInfoMap); 
         } else { 
          httpSession.setAttribute(IaasConstants.USER_INFO_MAP, userInfoMap); 
         } 
        } 
       } else { 
        // Bad User 
        LOG.info("Invalid User ::: with status code :: " 
        +httpResponse.getStatusLine().getStatusCode() 
        +" Status Message :: "+httpResponse.getStatusLine().getReasonPhrase()); 

        httpServletResponse.setStatus(httpResponse.getStatusLine().getStatusCode()); 
        httpServletResponse.sendError(httpResponse.getStatusLine().getStatusCode()); 
        httpServletResponse.flushBuffer(); 
        return; 
       } 
      } 

     } 
     HttpServletResponseCopier responseCopier = new HttpServletResponseCopier((HttpServletResponse) response); 
     // pass the request along the filter chain 
     chain.doFilter(request, responseCopier); 

    } catch (Exception e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } finally { 
     if (null != httpClient) { 
      httpClient.getConnectionManager().shutdown(); 
     } 
    } 
} 

/** 
* @see Filter#init(FilterConfig) 
*/ 
public void init(FilterConfig fConfig) throws ServletException { 
    // TODO Auto-generated method stub 
    this.fConfig = fConfig; 
    validateApp = Boolean.valueOf(fConfig.getInitParameter(IaasConstants.VALIDATE_APP)); 
    securityServiceURL = fConfig.getInitParameter(IaasConstants.SECURITY_SERVICE_URL); 
} 

    private boolean isWorthyRequest(HttpServletRequest request) { 
     String url = request.getRequestURI().toString(); 
     Matcher m = excludeUrls.matcher(url); 

     return (!m.matches()); 
    } 

的web.xml

<session-config> 
<session-timeout>15</session-timeout> 
<cookie-config> 
<http-only>true</http-only> 
<secure>true</secure> 
</cookie-config> 
</session-config> 

做什么，这样Tomcat将维持从同一客户机的请求会话？

我试过下面的选项，这对我没有用。

1. 在全球的context.xml添加阀像 <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false"/>

2. 去除的web.xml

<http-only>true</http-only>选项据我了解，由于会话固定保护文档的Tomcat创建新的会话ID对于每一个请求，但有没有其他的选择来维持会话？

Answer 1

<secure>true</secure>意味着饼干应只设置在HTTPS连接，我想你做HTTP，因此将其删除