我有一个运行表单身份验证aspx页面内的Java小程序。在.NET 1.1的版本我的网站,该小程序可以访问会话cookie并且能够从服务器检索一个文件,但在.NET 2.0版本,它无法验证。
I have a Java applet that runs inside a forms-authenticated aspx page. In the .NET 1.1 version of my site, the applet has access to the session cookie and is able to retrieve a file from the server, but in the .NET 2.0 version it fails to authenticate.
I have seen a couple of forum posts elsewhere that state that 2.0 sets cookies to HttpOnly by default, but the solutions given haven't worked for me so far. I also read somewhere that 2.0 may be discriminating based on user-agent.
Does anyone have any experience or insight into this?
This question is old, but I figured it was valuable to have the correct answer here.
Filip is confusing server-side Java with client-side Java. He is correct that you cannot share sessions between two server-side platforms, such as Java (J2EE) and ASP.Net without using a custom approach.
然而,applets是客户端,因此,应该可以访问主机页的会话信息。问题是ASP.Net 2.0添加的HttpOnly标志上的会话cookie。访问这些cookie这个标志prevents JavaScript和Java小程序。
However, applets are client-side and therefore should be able to access the session information of the host page. The issue is that ASP.Net 2.0 added the HttpOnly flag on session cookies. This flag prevents JavaScript and Java applets from accessing these cookies.
The workaround is to turn off the HttpOnly flag on session cookies. While you may be able to do it in the configuration in newer versions of ASP.Net, in previous versions the solution was to add the following code to your Global.asax file:
protected void Application_EndRequest(object sender, EventArgs e)
* @note Remove the HttpOnly attribute from session cookies, otherwise the
* Java applet won't have access to the session. This solution taken
* from
* http://blogs.msdn.com/jorman/archive/2006/03/05/session-loss-after-migrating-to-asp-net-2-0.aspx
* For more information on the HttpOnly attribute see:
* http://msdn.microsoft.com/netframework/programming/breakingchanges/runtime/aspnet.aspx
* http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx
if (Response.Cookies.Count > 0)
foreach (string lName in Response.Cookies.AllKeys)
if (lName == FormsAuthentication.FormsCookieName ||
lName.ToLower() == "asp.net_sessionid")
Response.Cookies[lName].HttpOnly = false;
请注意,即使使用此修复程序,并不是所有的浏览器/操作系统/ Java的组合,可访问的cookies。我目前正在研究一个问题,会话cookie无法被访问在Firefox 4.0.1和Java 1.6.0_13在Windows XP上。
Note that even with this fix, not all browser/OS/Java combinations can access cookies. I'm currently researching an issue with session cookies not being accessible on Firefox 4.0.1 with Java 1.6.0_13 on Windows XP.
The workaround is to use the approach Dr. Dad suggested, where the session ID gets passed to the applet as a parameter, and then either gets embedded into the request URL (requires URL sessions to be turned on in the server-side configuration) or sent as a manually-set cookie.