Spring Session产生的sessionid与cookies中的sessionid不一样的问题 httpOnly 设置不起作用

本文主要是介绍Spring Session产生的sessionid与cookies中的sessionid不一样的问题 httpOnly 设置不起作用，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

摘自： https://www.cnblogs.com/imyjy/p/9187168.html
背景:
　　Springboot 2.0 (spring-session-data-redis + spring-boot-starter-web)
需求:

通过cookies中取到的 sessionid 获取到 session

预期效果:

@Autowired

private SessionRepositry sessionRepositry;

…

Session session = sessionRespositry.findById(sessionId);

真实结果: 获取到的session是null, 然而通过 request.getSession(); 可以获取到session, 说明 session是存在的.

问题追踪后发现问题:

cookie中的sessionId 与 session.getId() 不一样!!!

DEBUG:
　　1. 先看一看SpringSession是如何从Cookie中获取sessionid的! (相关类: org.springframework.session.web.http.DefaultCookieSerializer)
在这里插入图片描述

2. 再看一看 useBase64Encoding 的值是啥, 首先看默认值

在这里插入图片描述

3. 看看这些配置是在哪里被(赋值)确认的, 一路追踪到 org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration 配置类中

在这里插入图片描述
　看看 createDefaultCookieSerializer() 是如何实现的

在这里插入图片描述

4. 从上面可以得出结论, 我们无法通过配置文件中 server.servlet.session.** 来配置 useBase64Encoding. 使 cookie中的 sessionid 与 session.getId() 保持一致

5. 期间发现的另一个问题: 虽然 sessionCookieConfig 有httpOnly相关配置, 但这里并未将配置设入 cookieSerializer 中, 导致配置文件中的 server.servlet.session.cookie.httpOnly = false 不起作用

解决方案:

第一种方案: 通过配置自定义的 CookieSerializer 来指定配置信息(如果觉得麻烦请直接看第二种方案), 如下

a) 首先因为 SessionCookieConfig 接口中并没有定义 isUseBase64Encoding() 等接口, 导致缺少了部分配置, 所以我自定义了一个 MySessionCookieConfig 接口继承了 SessionCookieConfig, 并写了一个默认实现 MyDefaultSessionCookieConfig
　
　　MySessionCookieConfig

package com.cardgame.demo.center.config;import javax.servlet.SessionCookieConfig;/**** 补充 SessionCookie 中未定义的配置项* @author yjy* 2018-06-15 13:30*/
public interface MySessionCookieConfig extends SessionCookieConfig {String getDomainPattern();void setDomainPattern(String domainPattern);String getJvmRoute();void setJvmRoute(String jvmRoute);boolean isUseBase64Encoding();void setUseBase64Encoding(boolean useBase64Encoding);}

MyDefaultSessionCookieConfig

package com.cardgame.demo.center.config;import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;/**** 涵盖 CookieSerializer 所有配置项* @author yjy* 2018-06-15 13:31*/
@Component
@ConfigurationProperties(prefix = "server.servlet.session.cookie")
public class MyDefaultSessionCookieConfig implements MySessionCookieConfig {private String name = "SESSION";private String path;private String domain;private String comment;private int maxAge = -1;private String domainPattern;private String jvmRoute;private boolean httpOnly = true;private boolean secure = false;private boolean useBase64Encoding = false;@Overridepublic String getDomainPattern() {return domainPattern;}@Overridepublic void setDomainPattern(String domainPattern) {this.domainPattern = domainPattern;}@Overridepublic String getJvmRoute() {return jvmRoute;}@Overridepublic void setJvmRoute(String jvmRoute) {this.jvmRoute = jvmRoute;}@Overridepublic boolean isUseBase64Encoding() {return useBase64Encoding;}@Overridepublic void setUseBase64Encoding(boolean useBase64Encoding) {this.useBase64Encoding = useBase64Encoding;}@Overridepublic String getName() {return name;}@Overridepublic void setName(String name) {this.name = name;}@Overridepublic String getPath() {return path;}@Overridepublic void setPath(String path) {this.path = path;}@Overridepublic String getDomain() {return domain;}@Overridepublic void setDomain(String domain) {this.domain = domain;}@Overridepublic String getComment() {return comment;}@Overridepublic void setComment(String comment) {this.comment = comment;}@Overridepublic boolean isHttpOnly() {return httpOnly;}@Overridepublic void setHttpOnly(boolean httpOnly) {this.httpOnly = httpOnly;}@Overridepublic boolean isSecure() {return secure;}@Overridepublic void setSecure(boolean secure) {this.secure = secure;}@Overridepublic int getMaxAge() {return maxAge;}@Overridepublic void setMaxAge(int maxAge) {this.maxAge = maxAge;}
}

b) 利用 MyDefaultSessionCookieConfig 携带的配置, 自定义 CookieSerializer Bean

package com.cardgame.demo.center.config;import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
import org.springframework.session.security.web.authentication.SpringSessionRememberMeServices;
import org.springframework.session.web.http.CookieSerializer;
import org.springframework.session.web.http.DefaultCookieSerializer;
import org.springframework.util.ClassUtils;
import org.springframework.util.ObjectUtils;import javax.servlet.ServletContext;
import javax.servlet.SessionCookieConfig;/**** @author yjy* 2018-06-08 14:53*/
@Slf4j
@Configuration
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 3600, redisNamespace = "center")
public class RedisSessionConfig implements ApplicationContextAware {@Beanpublic CookieSerializer cookieSerializer(ServletContext servletContext, MySessionCookieConfig sessionCookieConfig) {DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();if (servletContext != null) {if (sessionCookieConfig != null) {if (sessionCookieConfig.getName() != null)cookieSerializer.setCookieName(sessionCookieConfig.getName());if (sessionCookieConfig.getDomain() != null)cookieSerializer.setDomainName(sessionCookieConfig.getDomain());if (sessionCookieConfig.getPath() != null)cookieSerializer.setCookiePath(sessionCookieConfig.getPath());if (sessionCookieConfig.getMaxAge() != -1)cookieSerializer.setCookieMaxAge(sessionCookieConfig.getMaxAge());if (sessionCookieConfig.getDomainPattern() != null)cookieSerializer.setDomainNamePattern(sessionCookieConfig.getDomainPattern());if (sessionCookieConfig.getJvmRoute() != null)cookieSerializer.setJvmRoute(sessionCookieConfig.getJvmRoute());cookieSerializer.setUseSecureCookie(sessionCookieConfig.isSecure());cookieSerializer.setUseBase64Encoding(sessionCookieConfig.isUseBase64Encoding());cookieSerializer.setUseHttpOnlyCookie(sessionCookieConfig.isHttpOnly());}}if (ClassUtils.isPresent("org.springframework.security.web.authentication.RememberMeServices",null)) {boolean usesSpringSessionRememberMeServices = !ObjectUtils.isEmpty(this.context.getBeanNamesForType(SpringSessionRememberMeServices.class));if (usesSpringSessionRememberMeServices) {cookieSerializer.setRememberMeRequestAttribute(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR);}}return cookieSerializer;}private ApplicationContext context;@Overridepublic void setApplicationContext(ApplicationContext applicationContext) throws BeansException {this.context = applicationContext;}
}

c) 修改配置文件配置

在这里插入图片描述

d) 配置完成后重新启动, 再看 SpringHttpSessionConfiguration 加载的时候, 拿到了我们自定义的 CookieSerializer, 我想要的配置都有了!! 打开浏览器测试通过!!
在这里插入图片描述

第二种方案: 拿到 Cookie 中的 sessionId 后, 手动解码, 再通过 sessionRespositry.findById(sessionId); 获取session

a) 解码的方案从 DefaultSerializer 类中 copy 一个 , 如下:

/*** Decode the value using Base64.* @param base64Value the Base64 String to decode* @return the Base64 decoded value* @since 1.2.2*/
private String base64Decode(String base64Value) {try {byte[] decodedCookieBytes = Base64.getDecoder().decode(base64Value);return new String(decodedCookieBytes);}catch (Exception e) {return null;}
}

b) 获取步骤:

String cookieSessionId = “XXX”;

String sessionId = base64Decode(cookieSessionId);

Session session = sessionRespositry.findById(sessionId);

c) 搞定! (此方案未解决 httpOnly 不起效的问题, 如果要解决 httpOnly = false , 请看方案一)

这篇关于Spring Session产生的sessionid与cookies中的sessionid不一样的问题 httpOnly 设置不起作用的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！