场景:
一、在同一款浏览器上,先后访问同一个网站,用不同帐号登录。最后一次登录覆盖前一次登录。
说明:这个比较容易理解。从IE7开始,各款浏览器都统一规则:不同Tab页的窗口共享一个session。
之所以会出现上述的情况,一般是出现在one page one application的应用。
二,同一个应用服务器,即同一个IP上,部署两个应用。
说明:以Tomcat为例,其他中间件类似。
出现的原因是,两个应用的sessionID一致,而默认sessionID是采用httpOnly的cookie保存,且没有设置domain、path。所以两个相同的host应用,对于浏览器来讲,cookie是共享的,进而sessionID也是共享的。所以会互串。
解决方法:修改cookie的path或者domain范围。
在Tomcat 6 ,设置server.xml的Connector节点的emptySessionPath=false。
在Tomcat 7,emptySessionPath无效。通过Context.xml的Context节点。设置
sessionCookieDomain
The domain to be used for all session cookies created for this context. If set, this overrides any domain set by the web application. If not set, the value specified by the web application, if any, will be used.
sessionCookiePath
The path to be used for all session cookies created for this context. If set, this overrides any path set by the web application. If not set, the value specified by the web application will be used, or the context path used if the web application does not explicitly set one. To configure all web application to use an empty path (this can be useful for portlet specification implementations) set this attribute to / in the global CATALINA_BASE/conf/context.xml file.
Note: Once one web application using sessionCookiePath="/" obtains a session, all subsequent sessions for any other web application in the same host also configured with sessionCookiePath="/"will always use the same session ID. This holds even if the session is invalidated and a new one created. This makes session fixation protection more difficult and requires custom, Tomcat specific code to change the session ID shared by the multiple applications.
参考:http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
解决方法二,修改sessionID的cookie--name。这个方法在Tomcat6及以下版本,貌似不能设置。
如果是Tomcat 7以上产品通过设置Context.xml的Context节点。
sessionCookieName
The name to be used for all session cookies created for this context. If set, this overrides any name set by the web application. If not set, the value specified by the web application, if any, will be used, or the name JSESSIONID if the web application does not explicitly set one.
参考:http://tomcat.apache.org/tomcat-7.0-doc/config/context.html
注:如果两个应用刚好部署在一个Host上,Port不同,ContextPath也一样,那么方法一是不能解决问题的,只能通过设置SessioinCookieName来解决了。