由于某些安全性原因,我认为禁止URL中的jsessionid进行会话跟踪.在我将web.xml更改为下面的文件之前,我第一次在网页上访问了一个jsessionid,点击第一个链接后,它再也不会出现.
我的web.xml看起来像
<session-config> <session-timeout>10</session-timeout> <cookie-config> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
现在我在URL中有jsessionid,如果我点击页面上的另一个链接,它永远不会消失.每次点击都会发生变化.
如果我尝试调用一个JSF动作,我得到一个javax.faces.application.ViewExpiredException,但被管理的bean是@SessionScoped.
这是我的依赖关系树
[INFO] Scanning for projects... [INFO] Searching repository for plugin with prefix: 'dependency'. [INFO] ------------------------------------------------------------------------ [INFO] Building Java EE 6 webapp project [INFO] task-segment: [dependency:tree] [INFO] ------------------------------------------------------------------------ [INFO] [dependency:tree {execution: default-cli}] [INFO] de.project:demoapp:war:1.0-SNAPSHOT [INFO] +- javax.enterprise:cdi-api:jar:1.0-SP4:provided [INFO] | +- org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.1_spec:jar:1.0.0.Final:provided (version managed from 1.0.0.Beta1) [INFO] | \- javax.inject:javax.inject:jar:1:provided [INFO] +- org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec:jar:1.0.0.Final:provided [INFO] +- org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_1.1_spec:jar:1.0.0.Final:provided [INFO] +- org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Final:provided [INFO] +- org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec:jar:1.0.1.Final:provided [INFO] +- org.hibernate:hibernate-validator:jar:4.2.0.Final:provided [INFO] | \- javax.validation:validation-api:jar:1.0.0.GA:provided [INFO] +- org.hibernate:hibernate-jpamodelgen:jar:1.1.1.Final:provided [INFO] +- junit:junit:jar:4.10:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.1:test [INFO] +- org.jboss.arquillian.junit:arquillian-junit-container:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.junit:arquillian-junit-core:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.test:arquillian-test-api:jar:1.0.0.CR4:test [INFO] | | \- org.jboss.arquillian.core:arquillian-core-api:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.test:arquillian-test-spi:jar:1.0.0.CR4:test [INFO] | | +- org.jboss.arquillian.core:arquillian-core-spi:jar:1.0.0.CR4:test [INFO] | | \- org.jboss.shrinkwrap:shrinkwrap-api:jar:1.0.0-beta-5:test [INFO] | +- org.jboss.arquillian.container:arquillian-container-test-api:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.container:arquillian-container-test-spi:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.core:arquillian-core-impl-base:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.test:arquillian-test-impl-base:jar:1.0.0.CR4:test [INFO] | +- org.jboss.arquillian.container:arquillian-container-impl-base:jar:1.0.0.CR4:test [INFO] | | +- org.jboss.arquillian.config:arquillian-config-api:jar:1.0.0.CR4:test [INFO] | | \- org.jboss.arquillian.config:arquillian-config-impl-base:jar:1.0.0.CR4:test [INFO] | | \- org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-spi:jar:1.1.0-alpha-2:test [INFO] | +- org.jboss.arquillian.container:arquillian-container-test-impl-base:jar:1.0.0.CR4:test [INFO] | \- org.jboss.shrinkwrap:shrinkwrap-impl-base:jar:1.0.0-beta-5:test [INFO] | \- org.jboss.shrinkwrap:shrinkwrap-spi:jar:1.0.0-beta-5:test [INFO] +- org.jboss.arquillian.protocol:arquillian-protocol-servlet:jar:1.0.0.CR4:test [INFO] | \- org.jboss.arquillian.container:arquillian-container-spi:jar:1.0.0.CR4:test [INFO] | \- org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api:jar:1.1.0-alpha-2:test [INFO] +- javax.mail:mail:jar:1.4.4:compile [INFO] | \- javax.activation:activation:jar:1.1:compile [INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided [INFO] +- org.owasp.esapi:esapi:jar:2.0.1:compile [INFO] | +- commons-configuration:commons-configuration:jar:1.5:compile [INFO] | | +- commons-lang:commons-lang:jar:2.3:compile [INFO] | | +- commons-logging:commons-logging:jar:1.1:compile [INFO] | | | +- logkit:logkit:jar:1.0.1:compile [INFO] | | | \- avalon-framework:avalon-framework:jar:4.1.3:compile [INFO] | | \- commons-digester:commons-digester:jar:1.8:compile [INFO] | | \- commons-beanutils:commons-beanutils:jar:1.7.0:compile [INFO] | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile [INFO] | +- commons-fileupload:commons-fileupload:jar:1.2:compile [INFO] | +- commons-collections:commons-collections:jar:3.2:compile [INFO] | +- xom:xom:jar:1.1:compile [INFO] | | +- xerces:xmlParserAPIs:jar:2.6.2:compile [INFO] | | +- xerces:xercesImpl:jar:2.6.2:compile [INFO] | | +- xalan:xalan:jar:2.7.0:compile [INFO] | | | \- xml-apis:xml-apis:jar:1.0.b2:compile [INFO] | | \- jaxen:jaxen:jar:1.1-beta-8:compile [INFO] | | +- dom4j:dom4j:jar:1.6.1:compile [INFO] | | \- jdom:jdom:jar:1.0:compile [INFO] | +- org.beanshell:bsh-core:jar:2.0b4:compile [INFO] | \- org.owasp.antisamy:antisamy:jar:1.4.3:compile [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile [INFO] | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.7:compile [INFO] | | \- xml-apis:xml-apis-ext:jar:1.3.04:compile [INFO] | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.12:compile [INFO] | \- commons-httpclient:commons-httpclient:jar:3.1:compile [INFO] | \- commons-codec:commons-codec:jar:1.2:compile [INFO] +- com.sun.faces:jsf-api:jar:2.1.7:compile [INFO] \- joda-time:joda-time:jar:1.6:compile [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESSFUL [INFO] ------------------------------------------------------------------------ [INFO] Total time: 5 seconds [INFO] Finished at: Mon Mar 19 12:55:23 CET 2012 [INFO] Final Memory: 31M/342M [INFO] ----------------------------------------
编辑:
它看起来像没有它的工作
<cookie-config> <secure>true</secure> </cookie-config>
默认情况下,Cookie也处于安全模式
这是正常吗?我需要这个cookie配置的东西不再吗?
谢谢!
解决方法
你使用https ssl还是端口80 http?如果使用http,然后删除安全cookie作为ssl上的安全手段
看起来网络服务器意识到它没有得到cookie,所以每次都进行一个新的会话.如果您禁用安全cookie(意味着使其为false),那么它应该工作.
它不能确保浏览器接受cookies. https://www.youtube.com/watch?v=CVEo7wug2ks显示如何查看Cookie(不要删除除非测试)