sillycat
- 浏览: 2552667 次
- 性别:
- 来自: 成都
-
文章分类
最新评论
-
nation:
你好,在部署Mesos+Spark的运行环境时,出现一个现象, ...
Spark(4)Deal with Mesos -
sillycat:
AMAZON Relatedhttps://www.godad ...
AMAZON API Gateway(2)Client Side SSL with NGINX -
sillycat:
sudo usermod -aG docker ec2-use ...
Docker and VirtualBox(1)Set up Shared Disk for Virtual Box -
sillycat:
Every Half an Hour30 * * * * /u ...
Build Home NAS(3)Data Redundancy -
sillycat:
3 List the Cron Job I Have>c ...
Build Home NAS(3)Data Redundancy
Session between HTTPS and HTTP
Recently, we met a problem with sessions between HTTPS and HTTP. The step is as follow:
first page ---> put data in session ---> second page display session data -----> access HTTPS ---> third page display session data
click back space button in the third page, we came back to the second page, the session data is lost.
And we have this kind of data in the second step:
response.setHeader("Pragma", "no-cache")
response.addHeader("Cache-Control", "no-cache")
response.addHeader("Cache-Control", "no-store" )
response.addHeader("Cache-Control", "must-revalidate" )
response.setDateHeader("Expires", 0)
response.flushBuffer()
And These codes in page:
<META HTTP-EQUIV="Cache-control" CONTENT="no-cache">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
We have SessionFixationProtectionFilter to protect we in the HTTPS steps.
The log from server side is as follow:
preparesession in controller with sessionId = 1ED16C12C04E06A7628173195C471D64
displaylogin in controller with sessionId = 1ED16C12C04E06A7628173195C471D64
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
06-16 13:06:12 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:34) - Invalidating session with Id '1ED16C12C04E06A7628173195C471D64' and migrating attributes.
06-16 13:06:12 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:54) - Started new session: 89C26D84D4FC67E202C31CA4C50E0CA4
GET username = null password = null sessionId = 89C26D84D4FC67E202C31CA4C50E0CA4
displaylogin in controller with sessionId = 0FDA5D828BE9EAD31454E7B34765DA3F
So, we can see, at the last step, we have a new session Id with value equal 0FDA5D828BE9EAD31454E7B34765DA3F. This is a new session id, that is why we lost all our data stored in session.
That is the reason beween HTTP and HTTPS, because the session created in HTTP can be passed to HTTPS, but HTTPS session can not be passed to HTTP after tomcat4.0.
How to fix this problem. I follow the guide from others and I can solve this problem like this, use another filter, every time, when it is newly create filter, and when it is secure, I will write the jsessionid into cookie.
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class HttpsCookieWriterFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
System.out.println("HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!");
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(
httpRequest);
wrapperRequest.setResponse(httpResponse);
chain.doFilter(wrapperRequest, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
}
package com.sillycat.easywebflow.filter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class CookieRequestWrapper extends HttpServletRequestWrapper {
private HttpServletResponse response = null;
public CookieRequestWrapper(HttpServletRequest request) {
super(request);
}
public void setResponse(HttpServletResponse response) {
this.response = response;
}
public HttpSession getSession() {
HttpSession session = super.getSession();
processSessionCookie(session);
return session;
}
public HttpSession getSession(boolean create) {
HttpSession session = super.getSession(create);
processSessionCookie(session);
return session;
}
private void processSessionCookie(HttpSession session) {
if (null == response || null == session) {
return;
}
// cookieOverWritten
Object cookieOverWritten = getAttribute("COOKIE_OVERWRITTEN_FLAG");
if (null == cookieOverWritten && isSecure()
&& isRequestedSessionIdFromCookie() && session.isNew()) {
System.out.println("CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=" + session.getId());
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setMaxAge(-1);
String contextPath = getContextPath();
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
response.addCookie(cookie); //
setAttribute("COOKIE_OVERWRITTEN_FLAG", "true");
}
}
}
<filter>
<filter-name>httpsCookieWriterFilter</filter-name>
<filter-class>com.sillycat.easywebflow.filter.HttpsCookieWriterFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<url-pattern>/user.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>httpsCookieWriterFilter</filter-name>
<url-pattern>/user.do</url-pattern>
</filter-mapping>
This will work, and it will use the jsessionid in the cookie, it will not create a new session. The log messages will be as follow:
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!
CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=A9CC7242FB755D0753B4A3D18A6B991A
GET username = null password = null sessionId = A9CC7242FB755D0753B4A3D18A6B991A
preparesession in controller with sessionId = A9CC7242FB755D0753B4A3D18A6B991A
displaylogin in controller with sessionId = A9CC7242FB755D0753B4A3D18A6B991A
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
06-16 17:45:41 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:34) - Invalidating session with Id 'A9CC7242FB755D0753B4A3D18A6B991A' and migrating attributes.
06-16 17:45:41 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:54) - Started new session: DA4AC9FA8777DA0DCBAC6C1D68C7A65F
HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!
CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=DA4AC9FA8777DA0DCBAC6C1D68C7A65F
POST username = Karl password = kaishi sessionId = DA4AC9FA8777DA0DCBAC6C1D68C7A65F
And we can make these 2 filter classes together.
startNewSessionIfRequired(request, response);
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(
request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
//chain.doFilter(request, response);
references:
http://en.wikipedia.org/wiki/HTTP_cookie
http://java-guru.iteye.com/blog/157897
Recently, we met a problem with sessions between HTTPS and HTTP. The step is as follow:
first page ---> put data in session ---> second page display session data -----> access HTTPS ---> third page display session data
click back space button in the third page, we came back to the second page, the session data is lost.
And we have this kind of data in the second step:
response.setHeader("Pragma", "no-cache")
response.addHeader("Cache-Control", "no-cache")
response.addHeader("Cache-Control", "no-store" )
response.addHeader("Cache-Control", "must-revalidate" )
response.setDateHeader("Expires", 0)
response.flushBuffer()
And These codes in page:
<META HTTP-EQUIV="Cache-control" CONTENT="no-cache">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
We have SessionFixationProtectionFilter to protect we in the HTTPS steps.
The log from server side is as follow:
preparesession in controller with sessionId = 1ED16C12C04E06A7628173195C471D64
displaylogin in controller with sessionId = 1ED16C12C04E06A7628173195C471D64
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
06-16 13:06:12 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:34) - Invalidating session with Id '1ED16C12C04E06A7628173195C471D64' and migrating attributes.
06-16 13:06:12 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:54) - Started new session: 89C26D84D4FC67E202C31CA4C50E0CA4
GET username = null password = null sessionId = 89C26D84D4FC67E202C31CA4C50E0CA4
displaylogin in controller with sessionId = 0FDA5D828BE9EAD31454E7B34765DA3F
So, we can see, at the last step, we have a new session Id with value equal 0FDA5D828BE9EAD31454E7B34765DA3F. This is a new session id, that is why we lost all our data stored in session.
That is the reason beween HTTP and HTTPS, because the session created in HTTP can be passed to HTTPS, but HTTPS session can not be passed to HTTP after tomcat4.0.
How to fix this problem. I follow the guide from others and I can solve this problem like this, use another filter, every time, when it is newly create filter, and when it is secure, I will write the jsessionid into cookie.
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class HttpsCookieWriterFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
System.out.println("HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!");
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(
httpRequest);
wrapperRequest.setResponse(httpResponse);
chain.doFilter(wrapperRequest, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
}
package com.sillycat.easywebflow.filter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class CookieRequestWrapper extends HttpServletRequestWrapper {
private HttpServletResponse response = null;
public CookieRequestWrapper(HttpServletRequest request) {
super(request);
}
public void setResponse(HttpServletResponse response) {
this.response = response;
}
public HttpSession getSession() {
HttpSession session = super.getSession();
processSessionCookie(session);
return session;
}
public HttpSession getSession(boolean create) {
HttpSession session = super.getSession(create);
processSessionCookie(session);
return session;
}
private void processSessionCookie(HttpSession session) {
if (null == response || null == session) {
return;
}
// cookieOverWritten
Object cookieOverWritten = getAttribute("COOKIE_OVERWRITTEN_FLAG");
if (null == cookieOverWritten && isSecure()
&& isRequestedSessionIdFromCookie() && session.isNew()) {
System.out.println("CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=" + session.getId());
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setMaxAge(-1);
String contextPath = getContextPath();
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
response.addCookie(cookie); //
setAttribute("COOKIE_OVERWRITTEN_FLAG", "true");
}
}
}
<filter>
<filter-name>httpsCookieWriterFilter</filter-name>
<filter-class>com.sillycat.easywebflow.filter.HttpsCookieWriterFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<url-pattern>/user.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>httpsCookieWriterFilter</filter-name>
<url-pattern>/user.do</url-pattern>
</filter-mapping>
This will work, and it will use the jsessionid in the cookie, it will not create a new session. The log messages will be as follow:
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!
CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=A9CC7242FB755D0753B4A3D18A6B991A
GET username = null password = null sessionId = A9CC7242FB755D0753B4A3D18A6B991A
preparesession in controller with sessionId = A9CC7242FB755D0753B4A3D18A6B991A
displaylogin in controller with sessionId = A9CC7242FB755D0753B4A3D18A6B991A
SessionFixationProtectionFilter class entered here!!!!!!!!!!!!!!
06-16 17:45:41 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:34) - Invalidating session with Id 'A9CC7242FB755D0753B4A3D18A6B991A' and migrating attributes.
06-16 17:45:41 [DEBUG] com.sillycat.easywebflow.util.SessionUtil.startNewSessionIfRequired(SessionUtil.java:54) - Started new session: DA4AC9FA8777DA0DCBAC6C1D68C7A65F
HttpsCookieWriterFilter class entered here!!!!!!!!!!!!!!
CookieRequestWrapper class entered here!!!!!!!!!!!!!! and sessionId=DA4AC9FA8777DA0DCBAC6C1D68C7A65F
POST username = Karl password = kaishi sessionId = DA4AC9FA8777DA0DCBAC6C1D68C7A65F
And we can make these 2 filter classes together.
startNewSessionIfRequired(request, response);
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(
request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
//chain.doFilter(request, response);
references:
http://en.wikipedia.org/wiki/HTTP_cookie
http://java-guru.iteye.com/blog/157897
分享到:
发表评论
-
Update Site will come soon
2021-06-02 04:10 1679I am still keep notes my tech n ... -
Portainer 2020(4)Deploy Nginx and Others
2020-03-20 12:06 431Portainer 2020(4)Deploy Nginx a ... -
Private Registry 2020(1)No auth in registry Nginx AUTH for UI
2020-03-18 00:56 436Private Registry 2020(1)No auth ... -
Docker Compose 2020(1)Installation and Basic
2020-03-15 08:10 374Docker Compose 2020(1)Installat ... -
VPN Server 2020(2)Docker on CentOS in Ubuntu
2020-03-02 08:04 456VPN Server 2020(2)Docker on Cen ... -
Nginx Deal with OPTIONS in HTTP Protocol
2020-02-15 01:33 356Nginx Deal with OPTIONS in HTTP ... -
PDF to HTML 2020(1)pdftohtml Linux tool or PDFBox
2020-01-29 07:37 405PDF to HTML 2020(1)pdftohtml Li ... -
Elasticsearch Cluster 2019(2)Kibana Issue or Upgrade
2020-01-12 03:25 721Elasticsearch Cluster 2019(2)Ki ... -
Spark Streaming 2020(1)Investigation
2020-01-08 07:19 295Spark Streaming 2020(1)Investig ... -
Hadoop Docker 2019 Version 3.2.1
2019-12-10 07:39 295Hadoop Docker 2019 Version 3.2. ... -
MongoDB 2019(3)Security and Auth
2019-11-16 06:48 241MongoDB 2019(3)Security and Aut ... -
MongoDB 2019(1)Install 4.2.1 Single and Cluster
2019-11-11 05:07 294MongoDB 2019(1) Follow this ht ... -
Monitor Tool 2019(1)Monit Installation and Usage
2019-10-17 08:22 325Monitor Tool 2019(1)Monit Insta ... -
Ansible 2019(1)Introduction and Installation on Ubuntu and CentOS
2019-10-12 06:15 312Ansible 2019(1)Introduction and ... -
Timezone and Time on All Servers and Docker Containers
2019-10-10 11:18 332Timezone and Time on All Server ... -
Kafka Cluster 2019(6) 3 Nodes Cluster on CentOS7
2019-10-05 23:28 283Kafka Cluster 2019(6) 3 Nodes C ... -
K8S Helm(1)Understand YAML and Kubectl Pod and Deployment
2019-10-01 01:21 326K8S Helm(1)Understand YAML and ... -
Rancher and k8s 2019(5)Private Registry
2019-09-27 03:25 362Rancher and k8s 2019(5)Private ... -
Jenkins 2019 Cluster(1)Version 2.194
2019-09-12 02:53 444Jenkins 2019 Cluster(1)Version ... -
Redis Cluster 2019(3)Redis Cluster on CentOS
2019-08-17 04:07 373Redis Cluster 2019(3)Redis Clus ...
相关推荐
SELECT * FROM CTE WHERE RowNum BETWEEN 10 AND 20; ``` 这将返回第10到20行的数据。 3. **OFFSET 和 FETCH**:SQL Server 2012及更高版本引入了更直观的分页方式: ```sql SELECT * FROM table ORDER BY id ...
For SSH, Telnet, Telnet/SSL, and other protocols, SecureCRT's tabbed sessions reduce desktop clutter and make it easy to switch between sessions and organize groups of connected sessions. Extensive ...
Differences between Protocol Versions 60 SSL 3 60 TLS 1.0 61 TLS 1.1 61 TLS 1.2 61 3. Public-Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
The papers presented in Session 3 of ISSCC 2017 highlight significant advancements in digital processor technology, ranging from high-performance CPUs optimized for cognitive computing and gaming to ...
Photogrammetry, the ... The session includes real-world photogrammetry examples and demonstrates full integration between commercial photogrammetry tools like Reality Capture and game engine pipelines.
The present document specifies the procedures used by the protocols for mobility management and session management between User Equipment (UE) and Mobility Management Entity (MME) in the Evolved ...
console.log("Start of TCP session between " session.src_name " and " session.dst_name); }); tcp_tracker.on('end', function (session) { console.log("End of TCP session between ...
7.4.4 Transmission of Signaling Between a GSM and an IS-41 Network 136 7.5 Conclusion 136 Reference 136 CHAPTER 8 Connecting ASPs and ISPs with SMPP 137 8.1 Introduction 137 8.2 SMPP Sessions 137 viii...
RTC event handling), and the code to interface between RTC and the UI. The intent of this quasi- layering approach is to limit the direct hooks from the RTC backend to the UI and make it easier to ...
In web applications, managing user sessions is crucial for maintaining state between the client and server. This involves handling user authentication and authorization effectively. The chapter ...
- **Understanding Web Analytics 2.0**: This section covers the fundamental differences between Web Analytics 1.0 and 2.0, focusing on the importance of customer-centric analysis. - **The Evolution of ...
- **Service Primitive:** A basic unit of information exchanged between the client and server during a diagnostic session. - **Diagnostic Communication Interface (DCI):** The interface through which ...
TcyCommunicate and TcyCommRoomConnector allows communication between applications running in same computer session. TcySearchFiles and TcyCopyfiles allow respectively search and copy files with pause/...
We currently support MySQL, Oracle, Microsoft SQL Server, Sybase, ... You can store your session information using ADOdb for true portability and scalability. See adodb-session.php for more information.
Situated between your web sites and the world, web application firewalls provide an additional security layer, monitoring everything that comes in and everything that goes out. They enable you to ...
TcyCommunicate and TcyCommRoomConnector allows communication between applications running in same computer session. TcySearchFiles and TcyCopyfiles allow respectively search and copy files with ...
Servlet容器使用这个接口来创建一个session between an HTTP client and an HTTP server。Session持久存在指定的时间周期内,跨越多个连接或页面请求。 Session可以存储用户信息,并且可以在多个页面请求之间共享...
CAD-Earth is designed to easily import/export images, objects and terrain meshes between Google Earth™ and AutoCAD® 2007-2014, and create dynamic contour lines and profiles. You can pick CAD-Earth ...
The selected text compare allows you to select portions of text between 2 files and execute a compare on ONLY the se Using the SSH/telnet console A tutorial for UltraEdit/UEStudio's SSH/telent ...