我使用的是 Java 8、Wildfly 11、Spring 4 和 Apache 2.4。我有这段设置 session cookie 的 Java 代码
cookie = new Cookie(SESSION_ID_KEY, sessionId);
...
final String domain = request.getServerName().indexOf(".") == -1 ? request.getServerName() : request.getServerName().substring(request.getServerName().indexOf(".") + 1, request.getServerName().length());
if (!StringUtils.equals(domain, "localhost") && !isIpAddress)
{
cookie.setDomain(domain.indexOf('.') > -1 ? "." + domain : domain);
} // if
final String contextPath = request.getContextPath() != null && request.getContextPath().endsWith("/") ? request.getContextPath().substring(0, request.getContextPath().length() - 1): request.getContextPath();
cookie.setPath(contextPath);
System.out.println("setting domain " + domain + " and context path:" + contextPath);
response.addCookie(cookie);
我注意到在我的浏览器中没有创建这个 cookie。然后我查看了 Postman,并注意到没有创建 cookie,尽管我看到了这些响应 header ......
Set-Cookie →MY.SESSION.ID=10c25010534c4dd3900851ec1dfaebeb; path=/context; domain=.compute-1.amazonaws.com
Set-Cookie →closeTrialNoteDialog=""; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
看起来,当没有创建 cookie 时,响应 header 仍然包含此 Set-Cookie header 。不过,我无法判断上述任何一个有什么问题,这会阻止创建 cookie。任何见解表示赞赏,
最佳答案
Cookie 域必须是私有(private)域,特定于您的组织,而不是许多组织使用的公共(public)域。
在这种情况下,您正在使用的 AWS 域 .compute-1.amazonaws.com 未被设置,因为浏览器将其视为公共(public)域,特别称为“有效顶级域 (eTLD)、“扩展顶级域”和“公共(public)后缀”。常见的顶级域 (TLD) 包括“通用 TLD”(gTLD),例如 .com、.net 和 .org 以及“国家/地区代码” TLD” (ccTLD),例如 .us 和 .uk。对于公共(public)云,浏览器现在也将流行的共享云域视为“有效 TLD”,包括来自 AWS 的许多域,例如您尝试使用的域。
要设置您的 cookie,您需要将您的 cookie 域设置为私有(private)域,Google 称之为“有效顶级域加一”(eTLD+1),这意味着您的有效顶级域加一个子域,例如在这种情况下,您的整个完全限定主机名 - ec2-27-123-206-78.compute-1.amazonaws.com。对于相同的要求,Microsoft 使用术语“公共(public)后缀加一”(PS+1)。
Mozilla 基金会排除 eTLD/公共(public)后缀的理由
- Avoid privacy-damaging "supercookies" being set for high-level domain name suffixes
- Highlight the most important part of a domain name in the user interface
- Accurately sort history entries by site
- 引用:https://publicsuffix.org/ (Mozilla 基金会)
Microsoft 排除 eTLD/公共(public)后缀的推理
When setting a cookie, a website may specify which hosts the cookie should be sent to using the domain attribute. The browser must block attempts to set a cookie where the domain attribute does not end with the current page’s Private Domain. Failure to do so results in privacy and security concerns.
- Privacy: Allowing unrelated domains to share cookies can result in “super-cookies”-- cookies which are sent to multiple unrelated organizations that happen to share a Public Suffix.
- Security: Session-fixation attacks, where a good site and an evil site share a Public Suffix, and the evil site sets a malicious cookie on the Public Suffix so that the Good site is sent the evil cookie.
Google Chromium/Chrome 行为
Google 表示 Chromium(以及 Chrome)在其 CookieMonster 类的描述中使用“eTLD+1”存储 cookie。
The central data structure of a CookieMonster is the cookies_ member, which is a multimap (multiple values allowed for a single key) from a domain to some set of cookies. Each cookie is represented by a CanonicalCookie(), which contains all of the information that can be specified in a cookie (see diagram and RFC 2695). When set, cookies are placed into this data structure, and retrieval involves searching this data structure. The key to this data structure is the most inclusive domain (shortest dot delimited suffix) of the cookie domain that does not name a domain registrar (i.e. "google.com" or "bbc.co.uk", but not "co.uk" or "com"). This is also known as the Effective Top Level Domain plus one, or eTLD+1, for short.
域列表,包括 amazonaws.com
您可以在 Mozilla 的 PublicSuffix.org 上发布的源代码中看到 Firefox 使用的有效顶级域列表。 Google CookieMonster 页面也引用了 PublicSuffix.org。此列表包括许多 AWS 域,包括您尝试用于 EC2 的域,由 Amazon 提交。
// Amazon Elastic Compute Cloud : https://aws.amazon.com/ec2/
// Submitted by Luke Wells <psl-maintainers@amazon.com>
*.compute.amazonaws.com
*.compute-1.amazonaws.com
*.compute.amazonaws.com.cn
us-east-1.amazonaws.com
注意:我刚刚注意到 saurav kumar 在评论中发布了指向此内容的 Mozilla 链接。
关于java - 为什么我的 "Set-Cookie"响应 header 没有被翻译成实际的 cookie?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50300127/