现象:
两次request的hashCode相同,但request.getSession()获取到的session却不同;
排查记录:
其在 Chrome Devlope tools中 对应的提示:接口在 Response 响应头中Set-Cookie 时 失败。
This Set-Cookie was blocked because it was not sent over a secure-connection and would have overwritten a cookie with Secure attribute.
原因:
1、 HTTP服务不支持Secure安全属性。Secure表示Cookie会以安全的形式传输,HTTP肯定是不满足的。
2、历史使用了Https 访问过相同域名, 再以http访问且不设置Secure属性,也是不可以的。 解决办法: 清除https域名下cookie信息
根本原因: cookie不能通过 port 进行隔离。
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server.
原文链接:https://www.jianshu.com/p/ecc498da117b