问题
I have a web application running in Apache Tomcat 7 and using Struts2. My login system is made by putting a User object in a session:
( bypassing "if" and "try" to be clear..)
UserService es = new UserService();
User user = es.login(username, password);
ActionContext.getContext().getSession().put("loggedUser", user);
And then, I try to get a User object from that session in a Interceptor. If ok, then someone is logged. If not, go to login page by returning "notLogged" that will be catch by Struts2 global-results in struts.xml :
public String intercept(ActionInvocation invocation) {
User loggedUser = (User)invocation.getInvocationContext().getSession().get("loggedUser");
if (loggedUser == null) {
return "notLogged";
}
try {
return invocation.invoke();
} catch ( Exception ignored ) {
return "notLogged";
}
}
struts.xml
<global-results>
<result name="notLogged">/index.jsp</result>
</global-results>
All was very well, until the server admin do some maintenance and the "jsessionid" starts to appear in URL. After this, I can't navigate my system anymore (until I copy and paste this ID in every URL I want to go. no way to form action destinations). I still be able to login and I see the User object still be catching, but I can't go to any destination without this ID.
I tried this: https://fralef.me/tomcat-disable-jsessionid-in-url.html, and put COOKIE in tracking-mode tag in my web.xml but the things goes worst because now I can't do even a login.
What was happened, what can I do to solve this and put my system back to work?
回答1:
This is apparently caused by cookie path mismatch.
Browser will only send back the cookie if the request URL path matches the cookie path, e.g.
cookie path : /abc
request path: /abc/xyz // match
request path: /xyz // no match
By default, Tomcat set the session cookie path as the web app path, so that the cookie will not be sent to other web apps. However, in your case, the middleware changes the request URL path, therefore the browser observes a different path, causing cookie path mismatch.
In most cases, I'd recommend to set cookie path to "/", so that it matches all requests to the server (assuming there's only one app on Tomcat)
// context.xml
<Context sessionCookiePath="/">
来源:https://stackoverflow.com/questions/33247677/my-web-application-stop-working-after-jsessionid-appear-in-url