我的一些用户最终得到了 2 个 cookie。他们的浏览器将两者发送到服务器,Tomcat 似乎使用与上下文根匹配的第二个 cookie。
这是怎么发生的?我怎么能阻止它?
我只想要没有尾部斜杠的饼干存在。
例如,浏览器发送:
JSESSIONID with path /foo
JSESSIONID with path /foo/
编辑:
雄猫有影响这一点的变量。我没有指定它,我已经看到 Chrome 中出现了重复的 cookie 问题。
sessionCookiePathUsesTrailingSlash - Some browsers, such as Internet Explorer, Safari and Edge, will send a session cookie for a context with a path of /foo with a request to /foobar in violation of RFC6265. This could expose a session ID from an application deployed at /foo to an application deployed at /foobar. If the application deployed at /foobar is untrusted, this could create a security risk. However, it should be noted that RFC 6265, section 8.5 makes clear that path alone should not be view as sufficient to prevent untrusted applications accessing cookies from other applications. To mitigate this risk, this attribute may be set to true and Tomcat will add a trailing slash to the path associated with the session cookie so, in the above example, the cookie path becomes /foo/. However, with a cookie path of /foo/, browsers will no longer send the cookie with a request to /foo. This should not be a problem unless there is a servlet mapped to /*. In this case this attribute will need to be set to false to disable this feature. The default value for this attribute is false.
发送路径
中带有尾部斜杠的 Cookie,其过期日期已过去。浏览器不应再发送过期的 cookie。