Session between HTTPS and HTTP

企业开发 2018-05-14 18:31:41 阅读次数: 2
Session between HTTPS and HTTP

Recently, we met a problem with sessions between HTTPS and HTTP. The step is as follow:
first page ---> put data in session ---> second page display session data -----> access HTTPS ---> third page display session data
click back space button in the third page, we came back to the second page, the session data is lost.
And we have this kind of data in the second step:
response.setHeader("Pragma", "no-cache")
response.addHeader("Cache-Control", "no-cache")
response.addHeader("Cache-Control", "no-store" )
response.addHeader("Cache-Control", "must-revalidate" )
response.setDateHeader("Expires", 0)
response.flushBuffer()

And These codes in page:
<META HTTP-EQUIV="Cache-control" CONTENT="no-cache">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">

We have SessionFixationProtectionFilter to protect we in the HTTPS steps.
The log from server side is as follow:
preparesession in controller with sessionId = 1ED16C12C04E06A7628173195C471D64
displaylogin in controller with sessionId = 1ED16C12C04E06A7628173195C471D64
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
06-16 13:06:12 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:34) - Invalidating session with Id '1ED16C12C04E06A7628173195C471D64' and migrating attributes.
06-16 13:06:12 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:54) - Started new session: 89C26D84D4FC67E202C31CA4C50E0CA4
GET username = null password = null sessionId = 89C26D84D4FC67E202C31CA4C50E0CA4
displaylogin in controller with sessionId = 0FDA5D828BE9EAD31454E7B34765DA3F

So, we can see, at the last step, we have a new session Id with value equal 0FDA5D828BE9EAD31454E7B34765DA3F. This is a new session id, that is why we lost all our data stored in session.

That is the reason beween HTTP and HTTPS, because the session created in HTTP can be passed to HTTPS, but HTTPS session can not be passed to HTTP after tomcat4.0.

How to fix this problem. I follow the guide from others and I can solve this problem like this, use another filter, every time, when it is newly create filter, and when it is secure, I will write the jsessionid into cookie.
package com.sillycat.easywebflow.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class HttpsCookieWriterFilter implements Filter {

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
System.out.println("HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!");
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(
httpRequest);
wrapperRequest.setResponse(httpResponse);
chain.doFilter(wrapperRequest, response);
}

public void init(FilterConfig filterConfig) throws ServletException {

}

public void destroy() {

}

}

package com.sillycat.easywebflow.filter;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class CookieRequestWrapper extends HttpServletRequestWrapper {

private HttpServletResponse response = null;

public CookieRequestWrapper(HttpServletRequest request) {
super(request);
}

public void setResponse(HttpServletResponse response) {
this.response = response;
}

public HttpSession getSession() {
HttpSession session = super.getSession();
processSessionCookie(session);
return session;
}

public HttpSession getSession(boolean create) {
HttpSession session = super.getSession(create);
processSessionCookie(session);
return session;
}

private void processSessionCookie(HttpSession session) {
if (null == response || null == session) {
return;
}
// cookieOverWritten
Object cookieOverWritten = getAttribute("COOKIE_OVERWRITTEN_FLAG");
if (null == cookieOverWritten && isSecure()
&& isRequestedSessionIdFromCookie() && session.isNew()) {
System.out.println("CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=" + session.getId());
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setMaxAge(-1);
String contextPath = getContextPath();
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
response.addCookie(cookie); //
setAttribute("COOKIE_OVERWRITTEN_FLAG", "true");
}
}
}

<filter>
<filter-name>httpsCookieWriterFilter</filter-name>
<filter-class>com.sillycat.easywebflow.filter.HttpsCookieWriterFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<url-pattern>/user.do</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>httpsCookieWriterFilter</filter-name>
<url-pattern>/user.do</url-pattern>
</filter-mapping>
This will work, and it will use the jsessionid in the cookie, it will not create a new session. The log messages will be as follow:
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!
CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=A9CC7242FB755D0753B4A3D18A6B991A
GET username = null password = null sessionId = A9CC7242FB755D0753B4A3D18A6B991A
preparesession in controller with sessionId = A9CC7242FB755D0753B4A3D18A6B991A
displaylogin in controller with sessionId = A9CC7242FB755D0753B4A3D18A6B991A
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
06-16 17:45:41 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:34) - Invalidating session with Id 'A9CC7242FB755D0753B4A3D18A6B991A' and migrating attributes.
06-16 17:45:41 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:54) - Started new session: DA4AC9FA8777DA0DCBAC6C1D68C7A65F
HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!
CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=DA4AC9FA8777DA0DCBAC6C1D68C7A65F
POST username = Karl password = kaishi sessionId = DA4AC9FA8777DA0DCBAC6C1D68C7A65F

And we can make these 2 filter classes together.
startNewSessionIfRequired(request, response);

CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(
request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
//chain.doFilter(request, response);

references:
http://en.wikipedia.org/wiki/HTTP_cookie
http://java-guru.iteye.com/blog/157897


猜你喜欢

转载自sillycat.iteye.com/blog/1562131
今日推荐
Linus “吃狗粮”最积极!
开源日报 | Winamp播放器即将开源;生成式AI之战升级第二轮;Linus“吃狗粮”最积极;AI进入泡沫前期;吴泳铭为阿里云带来了什么?
NetBSD 禁止提交由 AI 生成的代码
Apache Doris 2.0.10 版本正式发布!
开源日报 | 大模型开战;大模型独角兽被曝卖身;周鸿祎建议谷歌开源所有产品;最大开源AI社区提供1000万美元共享GPU
开源日报 | Chrome内置Gemini的意义不在于Gemini;中国AI追随之路的五大误区;ECharts创始人“下海”养鱼;谷歌I/O开发者大会什么都有,只是没有惊喜
微软回应中国区AI团队“打包赴美”传闻
周排行
SVN服务端安装在阿里云
实战 | 相机标定
webpack核心概念
note20——》只要肯低头吃苦,人生就会有救
PAT甲级 1062 Talent and Virtue (25 分)排序
NG Toolset开发笔记--5GNR Resource Grid(26)
如何对待上司
oracle命令
第9章 STL迭代器
logstash使用es映射模板
每日归档
更多
2024-05-20(36)
2024-05-19(0)
2024-05-18(4)
2024-05-17(34)
2024-05-16(6)
2024-05-15(24)
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022