我最近在Tomcat上部署了一个简单的Web应用程序。该应用使用非常标准的基于会话的安全性,其中登录的用户被授予会话。会话Cookie和IE 8
会话在Firefox和Chrome中运行良好,但需要在IE的URL(测试7 & 8)中使用jsessionid,并设置为中等隐私。在IE 8中,我试图覆盖cookie处理,设置“允许所有第三方cookie”和“允许所有会话cookie” - 没有骰子。但是,当我在本地机器上运行Tomcat时,IE接受了Cookie,会话正常工作。
现在,用于HTTP标头。
通过Chrome浏览器,登录的用户获取会话
GET http://devl:8080/testing/ HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:14:40 GMT
GET http://devl:8080/testing/logout HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Referer: http://devl:8080/testing/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397
...
从IE 8,与标准的中等水平的安全性和与隐私
GET http://devl:8080/testing/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: devl:8080
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=192999F922D6E9C868314452726764BA; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:32:34 GMT
GET http://devl:8080/testing/logout HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://devl:8080/testing/;jsessionid=6371A83EFE39A46997544F9146AA5CEA
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: devl:8080
...
我想这可能是P3P,但增加紧凑的政策,没有什么变化。这是标准的Tomcat会话,所以我非常惊讶,迄今为止我还找不到其他人遇到同样的问题。有人有主意吗?
编辑3/4/2010 -
很抱歉,如果我没有做这个clear-我从IE浏览器的多个其他实例尝试 - 同事在大厅等
编辑4/3/2010 -
我也尝试开启所有cookies的提示,但我没有得到提示。使用Fiddler在“Set-Cookie”标题中设置域也没有什么不同。
能饼干需要有域设置?我不知道的方式来配置在Tomcat中,但也许我可以乱用带有过滤器的cookie头... – 2010-03-29 14:15:54
为什么在你的上IE8'GET'引荐包括在URL中的jsessionid?你用什么工具捕获上述流量(因为浏览器永远不会发送'GET http:// ...')? – 2010-04-02 16:04:55
另一件事我从IE8 HTTP跟踪发现:第一个请求尝试建立一个会话ID“设置Cookie:JSESSIONID = 192999F922D6E9C868314452726764BA;路径= /测试 ”,但第二个请求在“引荐不同的会话ID: ...; JSESSIONID = 6371A83EFE39A46997544F9146AA5CEA”。这两个请求之间是否存在干预行动?有没有关于为什么会有两个会话ID的更多信息?有没有多个窗口invovled? – 2010-04-02 16:07:56