问题描述

由于某些安全原因，我决定通过URL中的 jsessionid 禁用会话跟踪。在我将web.xml更改为下面的文件之前，我第一次在网址中访问了网页中的 jsessionid ，点击第一个链接后，它从未出现过再次。

Because of some security reasons I deceided to disable session tracking by jsessionid in URL. Before I changed my web.xml to the one below, I had on the first time I visited the page a jsessionid in the url, after clicking the first link, it never appeared again.

我的 web.xml 看起来像

   <session-config>
      <session-timeout>10</session-timeout>
      <cookie-config>
         <secure>true</secure>
      </cookie-config>
      <tracking-mode>COOKIE</tracking-mode>
   </session-config>

现在我在URL中有 jsessionid ，如果我点击页面上的其他链接，它永远不会消失。每次点击都会改变。

Now I have the jsessionid in the URL, if I click another link on the page it never disappears. It changes on every click.

如果我尝试调用JSF动作，我会得到一个 javax.faces.application.ViewExpiredException 但是托管bean是 @SessionScoped 。

If I try to invoke a JSF action, I get an javax.faces.application.ViewExpiredException but the managed bean is @SessionScoped.

这是我的依赖树：

[INFO] Scanning for projects...
[INFO] Searching repository for plugin with prefix: 'dependency'.
[INFO] ------------------------------------------------------------------------
[INFO] Building Java EE 6 webapp project
[INFO]    task-segment: [dependency:tree]
[INFO] ------------------------------------------------------------------------
[INFO] [dependency:tree {execution: default-cli}]
[INFO] de.project:demoapp:war:1.0-SNAPSHOT
[INFO] +- javax.enterprise:cdi-api:jar:1.0-SP4:provided
[INFO] |  +- org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.1_spec:jar:1.0.0.Final:provided (version managed from 1.0.0.Beta1)
[INFO] |  \- javax.inject:javax.inject:jar:1:provided
[INFO] +- org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec:jar:1.0.0.Final:provided
[INFO] +- org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_1.1_spec:jar:1.0.0.Final:provided
[INFO] +- org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Final:provided
[INFO] +- org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec:jar:1.0.1.Final:provided
[INFO] +- org.hibernate:hibernate-validator:jar:4.2.0.Final:provided
[INFO] |  \- javax.validation:validation-api:jar:1.0.0.GA:provided
[INFO] +- org.hibernate:hibernate-jpamodelgen:jar:1.1.1.Final:provided
[INFO] +- junit:junit:jar:4.10:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] +- org.jboss.arquillian.junit:arquillian-junit-container:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.junit:arquillian-junit-core:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.test:arquillian-test-api:jar:1.0.0.CR4:test
[INFO] |  |  \- org.jboss.arquillian.core:arquillian-core-api:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.test:arquillian-test-spi:jar:1.0.0.CR4:test
[INFO] |  |  +- org.jboss.arquillian.core:arquillian-core-spi:jar:1.0.0.CR4:test
[INFO] |  |  \- org.jboss.shrinkwrap:shrinkwrap-api:jar:1.0.0-beta-5:test
[INFO] |  +- org.jboss.arquillian.container:arquillian-container-test-api:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.container:arquillian-container-test-spi:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.core:arquillian-core-impl-base:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.test:arquillian-test-impl-base:jar:1.0.0.CR4:test
[INFO] |  +- org.jboss.arquillian.container:arquillian-container-impl-base:jar:1.0.0.CR4:test
[INFO] |  |  +- org.jboss.arquillian.config:arquillian-config-api:jar:1.0.0.CR4:test
[INFO] |  |  \- org.jboss.arquillian.config:arquillian-config-impl-base:jar:1.0.0.CR4:test
[INFO] |  |     \- org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-spi:jar:1.1.0-alpha-2:test
[INFO] |  +- org.jboss.arquillian.container:arquillian-container-test-impl-base:jar:1.0.0.CR4:test
[INFO] |  \- org.jboss.shrinkwrap:shrinkwrap-impl-base:jar:1.0.0-beta-5:test
[INFO] |     \- org.jboss.shrinkwrap:shrinkwrap-spi:jar:1.0.0-beta-5:test
[INFO] +- org.jboss.arquillian.protocol:arquillian-protocol-servlet:jar:1.0.0.CR4:test
[INFO] |  \- org.jboss.arquillian.container:arquillian-container-spi:jar:1.0.0.CR4:test
[INFO] |     \- org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api:jar:1.1.0-alpha-2:test
[INFO] +- javax.mail:mail:jar:1.4.4:compile
[INFO] |  \- javax.activation:activation:jar:1.1:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- org.owasp.esapi:esapi:jar:2.0.1:compile
[INFO] |  +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] |  |  +- commons-lang:commons-lang:jar:2.3:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.1:compile
[INFO] |  |  |  +- logkit:logkit:jar:1.0.1:compile
[INFO] |  |  |  \- avalon-framework:avalon-framework:jar:4.1.3:compile
[INFO] |  |  \- commons-digester:commons-digester:jar:1.8:compile
[INFO] |  |     \- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |  +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] |  +- commons-fileupload:commons-fileupload:jar:1.2:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2:compile
[INFO] |  +- xom:xom:jar:1.1:compile
[INFO] |  |  +- xerces:xmlParserAPIs:jar:2.6.2:compile
[INFO] |  |  +- xerces:xercesImpl:jar:2.6.2:compile
[INFO] |  |  +- xalan:xalan:jar:2.7.0:compile
[INFO] |  |  |  \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] |  |  \- jaxen:jaxen:jar:1.1-beta-8:compile
[INFO] |  |     +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  |     \- jdom:jdom:jar:1.0:compile
[INFO] |  +- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] |  \- org.owasp.antisamy:antisamy:jar:1.4.3:compile
[INFO] |     +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] |     |  +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] |     |  +- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] |     |  \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] |     +- net.sourceforge.nekohtml:nekohtml:jar:1.9.12:compile
[INFO] |     \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] |        \- commons-codec:commons-codec:jar:1.2:compile
[INFO] +- com.sun.faces:jsf-api:jar:2.1.7:compile
[INFO] \- joda-time:joda-time:jar:1.6:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5 seconds
[INFO] Finished at: Mon Mar 19 12:55:23 CET 2012
[INFO] Final Memory: 31M/342M
[INFO] ----------------------------------------

编辑：
看起来没有

it looks like it's working without the

<cookie-config>
   <secure>true</secure>
</cookie-config>

默认情况下，Cookie也处于安全模式


这是正常的吗？我不再需要这个cookie配置的东西吗？
谢谢！

the cookies is also in secure mode by default
is this normal? do i need this cookie config stuff not anymore?thanks!

推荐答案

您使用的是https ssl还是端口80 http？如果使用http然后删除安全cookie作为ssl上的安全手段

are you using https ssl or port 80 http ? if using http then remove the secure cookie as secure means over ssl

看起来Web服务器意识到它没有获取cookie，所以每次都要创建一个新会话。如果您禁用安全cookie（意味着将其设为假），那么它应该可以正常工作。

Looks like web server realizes its not getting cookie and so making a new session every time. if you disable secure cookie (means make it false) then it should work.

它不能确保浏览器接受cookie。 向您展示如何看到cookies（除非测试，否则不要删除）

it it does not make sure the browser is accepting cookies. https://www.youtube.com/watch?v=CVEo7wug2ks shows you how to see cookies (do not delete unless testing)

这篇关于在URL中运行没有jsessionid的JBoss 7.0.1无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！