cookie不会在Chrome关闭后过期

cookie不会在Chrome关闭后过期

本文介绍了Jsessionid cookie不会在Chrome关闭后过期的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用Shiro框架进行身份验证。

I use Shiro framework for authentication.

问题是:当我关闭Chrome浏览器并再次打开它时,我仍然可以访问受保护的URL。如果我手动删除 jsessionid cookie,则一切正常,对受保护的网址的访问将被禁止。在jsessionid的设置中,我看到:到期:浏览会话结束时。所以,它应该过期,但它不会。我也做了这个操作在firefox和没有这个问题。我不知道哪个方法调查。

The problem is: when I close Chrome browser and open it again I still can get access to protected URLs. If I delete jsessionid cookie by hand all is ok, access to protected URLs becomes forbidden. In the settings of jsessionid I see: Expires: When the browsing session ends. So, it should be expired, but it doesn't. Also I did this manipulation in firefox and have no that problems. I have no idea even which way investigate for.

我不使用shiro记住我的功能。

P.S. I don't use shiro remember-me functionality. But, any way, while using, Shiro create another cookie (that named rememberMe).

推荐答案

这是Chrome上的已知行为。与Apache Shiro无关。以下是链接:

This is a known behavior on Chrome. Nothing to do with Apache Shiro. Here is the link:

请考虑Google标记为WONTFIX,所以很可能我们将不得不忍受这个。为了解决这个问题,我将max-age设置为一些可接受的值,这样FF和Chrome可以具有相同的行为。否则,当窗口关闭时,FF会记录我,Chrome可能会继续保持会话长度。

Think Google has marked this as WONTFIX, so most likely we will have to live with this. To counter this, I set the max-age to some acceptable value so that FF and Chrome can have the same behavior. Otherwise, while FF logs me off when the window closes, Chrome may continue to keep the session for whatever length it decides.

另一种方法是在Shiro中触发会话验证,以获取Shiro中的所有过期会话并使其失效。这样,任何试图用过期会话登录的客户端都会被告知。此时,您可以选择将用户重定向到登录页面。

Another way is to trigger Session validation in Shiro to harvest all expired session in Shiro and invalidate them. That way, any client trying to login with an expired session will be told so. At that point you may choose to redirect the user to the login page.

这篇关于Jsessionid cookie不会在Chrome关闭后过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-24 13:57