How can I code a jquery ajax() call (e.g. xmlhttprequest) to preserve the session ID (e.g. send the 'jsessionID' cookie already in the browser's cookies)

如何编写jquery ajax()调用(例如xmlhttprequest)来保存会话ID(例如,将“jsessionID”cookie发送到浏览器的cookie中)

Our context:

我们的背景:

  • Two java based web applications
  • 两个基于java的web应用程序
  • SSO mechanism logs User into both applications (i.e. has session 101 with application A and session 202 with application B)
  • SSO机制将用户记录到两个应用程序中(例如,使用应用程序A的会话101和应用程序B的会话202)
  • Application "A" uses javascript (jquery) to make rest calls to the Application B
  • 应用程序“A”使用javascript (jquery)对应用程序B进行rest调用
  • Application B implemented rest API in Java jersey (fwiw)
  • 应用程序B在Java jersey实现rest API (fwiw)
  • All GET's and "old-school form POSTS" from Application A to B connect to the same session #202 on "session B"
  • 从申请A到B的所有GET's和"old-school form POSTS"连接到同一个会话#202关于"会话B"
  • XmlHttpRequests (e.g. jquery 'ajax()' calls) do not re-use session #202. Each XmlHttpRequest get a new session
  • xmlhttprequest(例如jquery“ajax()”调用)不会重复使用会话#202。每个XmlHttpRequest都有一个新的会话

Why New Sessions?

为什么新会话?

The reason: XmlHttpRequest do not pass any cookies to application B. Servlet container sets jsessionid in the cookie. Server does not get the jsessionid

原因是:XmlHttpRequest不向应用程序b传递任何cookie。Servlet容器在cookie中设置jsessionid。服务器没有获取jsessionid

In contrast, JSONP calls (which dynamically generate <script src="http://server/b/page.x">) do pass the cookies.

相反,JSONP调用(动态生成

The questions

的问题

  • What's the easiest way to get ajax xmlhttprequest calls to pass session id (cookies) to the target application ?
  • 让ajax xmlhttprequest调用将会话id (cookie)传递给目标应用程序的最简单方法是什么?
  • Any good references on ajax, cookie, xmlhttprequest, and REST?
  • 关于ajax、cookie、xmlhttprequest和REST有什么好的参考吗?
  • Can anyone recommend reading on REST API design and authentication?
  • 有人推荐阅读REST API设计和身份验证吗?

Web Sessions, State, and Authentication

Web会话、状态和身份验证

I know REST is supposed to be stateless, and re-using web sessions seems somewhat fragile (i.e. as opposed to using OAuth and authentication tokens, as does netflix)

我知道REST应该是无状态的,重用web会话似乎有些脆弱(例如,与使用OAuth和身份验证令牌不同,netflix也是)

This is the first iteration and we were close to getting things "up and running". This worked fine with JSONP, but XmlHttpRequest posts failed.

这是第一次迭代,我们已经接近“启动和运行”。这在JSONP上运行良好,但是XmlHttpRequest帖子失败。

thanks in advance

谢谢提前

Update:

更新:

A naive question indeed.

一个幼稚的问题。

It turns out that cross-site posting via xmlhttprequest/ajax has inherent security issues and workarounds. Firefox, for example, will not pass cookies with XmlHttpRequest unless you add special headers. Firefox will then do a 'pre-flight check' (i.e. an http OPTIONS call) to the server to see "is this ok?". Your server needs to answer the "OPTIONS" call saying "yes it's ok" before firefox will perform your "post with cookies".

事实证明,通过xmlhttprequest/ajax跨站点发布存在固有的安全问题和解决方案。例如,Firefox不会传递带有XmlHttpRequest的cookie,除非您添加特殊的头文件。然后Firefox将对服务器进行“飞行前检查”(即http选项调用),以查看“这样可以吗?”在firefox执行你的“带有cookie的post”之前,你的服务器需要回答“选项”调用说“没事”。

IE and Firefox solve these problem differently (i.e. a bit like javascript circa 1998). I don't konw what IE does, but having lived through 1998, we don't want to really go down that road if at all possible.

IE和Firefox对这些问题的解决方式有所不同(比如1998年左右的javascript)。我不知道IE在做什么,但经历了1998年,如果可能的话,我们真的不想沿着那条路走下去。

We coded a workaround.

我们编码解决方案。

None of our team knew this when we started coding. (i.e. "jsonp worked great in the prototype; everything else should also")

当我们开始编写代码时,我们的团队中没有人知道这一点。(即。jsonp在原型中表现出色;一切也应该”)

References: How Mozilla addresses this problem (http headers and preflight checks) https://developer.mozilla.org/En/HTTP_access_control

参考:Mozilla如何解决这个问题(http头和preflight检查)https://developer.mozilla.org/En/HTTP_access_control。

Cross Origin Resource Sharing: http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

跨源资源共享:http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

1 个解决方案

#1

1

You could also solve this problem by deploying a state-ful proxy. They'd have to be installed on both apps. You'd then make a all your session-based calls thru the proxy and store the remote session data into your local proxy's session.

您还可以通过部署状态代理来解决这个问题。它们必须安装在两个应用程序上。然后通过代理进行所有基于会话的调用,并将远程会话数据存储到本地代理的会话中。

更多相关文章

  1. 如何用jQuery获取django的HttpResponse状态码?
  2. jquerymobile phonegap back按钮获取先前状态
  3. HTML新手求解。关于CSS对于li标签的active状态的背景颜色
  4. html5中点击按钮,改变按钮状态效果样式
  5. Web 应用程序学习笔记
  6. Wordpress网站上的亚马逊链接无法正确打开亚马逊应用程序
  7. 更改在表Django中选择了其中一个按钮时显示的状态
  8. 为什么我不用Javascript和Javascript HTML模板构建整个Web应用程
  9. C 实现HTML5服务时,遇到握手状态的判断问题...

随机推荐

  1. Android--DatePickerDialog日期控件
  2. Android之简单的拍照功能
  3. android dialog样式
  4. 一个挺好用的花样开源神器
  5. Android 自音乐播放器源代码
  6. Android RadioGroup RadioButton 自定义
  7. android ImageView 显示本地图片
  8. android屏幕截图
  9. 【Android】Face Recognition on Android
  10. android技术文章网址