Java 如何在关闭浏览器窗口时删除HttpOnly服务器端会话cookie
我需要在用户关闭浏览器窗口时关闭由Java 如何在关闭浏览器窗口时删除HttpOnly服务器端会话cookie,java,typescript,cookies,spring-security,angularjs-1.7,Java,Typescript,Cookies,Spring Security,Angularjs 1.7,我需要在用户关闭浏览器窗口时关闭由JSESSIONIDcookie持有的会话。 此cookie由Spring Security在服务器端设置: @Configuration @EnableWebSecurity public class SpringSecurityConfiguration { @Configuration public static class ApplicationApiSecurityConfiguration extends WebSecurityCo
JSESSIONID@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration {
@Configuration
public static class ApplicationApiSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) {
http
.antMatcher("/**")
.csrf()
.disable() // Disable Cross Site Request Forgery Protection
.formLogin() // Enable form based/cookie based/session based login
.loginPage(LOGIN_PAGE) // Set our custom login page
.and()
.authorizeRequests()
.antMatchers("/login", "/logout")
.permitAll() // Allow anyone to access the login and logout page
.anyRequest()
.authenticated() //All other request require authentication
.and()
.logout()
.deleteCookies("JSESSIONID") // Delete JSESSIONID cookie on logout
.clearAuthentication(true) // Clean authentication on logout
.invalidateHttpSession(true); // Invalidate Http Session on logout
}
}
}
@module.tsmodule app.myapp {
import IModule = angular.IModule;
import IStateProvider = angular.ui.IStateProvider;
import IUrlRouterProvider = angular.ui.IUrlRouterProvider;
import LockService = lib.common.LockService;
export class MyApp {
static NAME = 'app.myapp';
static module(): IModule {
return angular.module(MyApp.NAME);
}
}
angular.module(MyApp.NAME, ['ui.router'])
.config([
'$stateProvider', '$urlRouterProvider',
($stateProvider: IStateProvider, $urlRouterProvider: IUrlRouterProvider) => {
$urlRouterProvider.when('', '/home');
$stateProvider.state('base', {
url: '',
abstract: true,
template: '<ui-view/>',
resolve: {
initEventListenerForGlobalUnlock: [
LockService.ID,
(lockService: LockService) => lockService.initListenerForGlobalUnlock()
]
}
});
$stateProvider.state('personalProfile', {
url: '/profile',
parent: 'base',
component: PersonalProfile.ID
});
}
]);
}
此操作重定向页面。$window.location.href='logout'问题在于
JSESSIONIDglobalUnlockHandler$http.getcreateXMLHttpRequest(): XMLHttpRequest {
var req: XMLHttpRequest = null;
if (this.$window.XMLHttpRequest) {
try {
req = new XMLHttpRequest();
} catch (e) { }
} else if (this.$window.ActiveXObject) {
try {
req = new ActiveXObject('Msxml2.XMLHTTP'); // tslint:disable-line
} catch (e) {
try {
req = new ActiveXObject('Microsoft.XMLHTTP'); // tslint:disable-line
} catch (e) { }
}
} // fi
if (!req) {
console.warn('createXMLHttpRequest() failed');
}
return req;
}
var xhr = new XMLHttpRequest();
if (xhr) {
xhr.open('GET', 'http://www.domain.name/logout', false);
try {
xhr.send(null);
} catch (e) {
console.warn(e);
}
}
请注意,XHR已被弃用,而且这种方法违反了HTTP原则,因为用户可以打开一个新的浏览器选项卡并从现有浏览器复制/粘贴URL。然后,如果第一个选项卡关闭,会话将终止,但第二个选项卡仍将打开,没有有效会话。回答我自己的问题 我发现在浏览器窗口关闭时实现会话过期的唯一方法是对
globalUnlockHandler$http.getcreateXMLHttpRequest(): XMLHttpRequest {
var req: XMLHttpRequest = null;
if (this.$window.XMLHttpRequest) {
try {
req = new XMLHttpRequest();
} catch (e) { }
} else if (this.$window.ActiveXObject) {
try {
req = new ActiveXObject('Msxml2.XMLHTTP'); // tslint:disable-line
} catch (e) {
try {
req = new ActiveXObject('Microsoft.XMLHTTP'); // tslint:disable-line
} catch (e) { }
}
} // fi
if (!req) {
console.warn('createXMLHttpRequest() failed');
}
return req;
}
var xhr = new XMLHttpRequest();
if (xhr) {
xhr.open('GET', 'http://www.domain.name/logout', false);
try {
xhr.send(null);
} catch (e) {
console.warn(e);
}
}
请注意,XHR已被弃用,而且这种方法违反了HTTP原则,因为用户可以打开一个新的浏览器选项卡并从现有浏览器复制/粘贴URL。然后,如果第一个选项卡关闭,会话将终止,但第二个选项卡仍将在没有有效会话的情况下打开。我有点困惑,JSESSIONID不是会话cookie吗,这意味着一旦浏览器关闭,它将被删除?可能您正在寻找类似AFAIR会话cookie的内容。重新启动浏览器后,会话cookie会暂时消失。但是,在用户注销之前,会话仍处于活动状态。浏览器窗口关闭时,JSESSION cookie不会消失。这可以通过Firefox本地存储检查器进行验证。我不知道为什么Spring在注销时在
deleteCookie()clearAuthentication()invalidateHttpSession()deleteCookie()clearAuthentication()invalidateHttpSession()