After opening I am a buyer, the sessionId under the enterprise domain name keeps changing
Investigation direction:
1 ngix tampered with sessionId
-- Restart nginx, the problem is not solved
-- Test environment stand-alone, print out the sessionId in the code, and observe that the sessionId is the same as the JsessionId given by the front end, which eliminates the problem of ngix modifying the sessionId
-- Troubleshoot ngix cache issues
2 There is a problem with SPRING_SECURITY in the backend
-- Lack of in-depth understanding of Spring-security behavior
-- It turns out that it has nothing to do with spring-security. It is UC's jsnop call to the enterprise domain that causes the enterprise session to fail
3 Enter "I am a buyer", swipe the seller center, no session, check what "I am a buyer" does that will destroy the enterprise session, interact through the browser, only jsnop calls
-- It is found that when user jsnop pulls enterprise data, the existing session will not be found, causing jsnop to re-establish the session
-- The current page is replaced with Baidu www.baidu.com, or the old UC, no problem. It can be confirmed that I am the buyer. The interaction between this page and the enterprise domain has caused problems
-- Observe that SessionId has changed, spring-security has no special treatment for jsnop, jsnop is a script type get request
-- OC is also jsnop, but there is no problem with OC, but refreshing USER will not work, because USER will trigger the destruction of the session
===========================
To sum up: the root cause is session destruction
Keywords Set-cookie
enterprise
Investigation direction:
SESSION monitor
HYIPCASEntryPoint monitor
Front-end request to add trace capability
----------------------------------
C9E11CE580D10AFFEA2023E9D4CD3B34
Brushing USER immediately caused the enterprise session to be deleted
root@host102:[/var/log/enterprise]tail -10000f enterprise_app.log |grep 'session,id'|grep 'C9E11CE580D10AFFEA2023E9D4CD3B34'
2016-06-07 14:08:14 [http-nio-27000-exec-53] [INFO ] [com.enterprise.util.TraceUtils.?:?] |###traceInfo >> FROM EnterpriseSessionListener ,create session,id=C9E11CE580D10AFFEA2023E9D4CD3B34.jvm3_dispatch_102
2016-06-07 14:11:16 [http-nio-27000-exec-72] [INFO ] [com.enterprise.util.TraceUtils.?:?] |###traceInfo >> FROM EnterpriseSessionListener ,destroied session,id=C9E11CE580D10AFFEA2023E9D4CD3B34.jvm3_dispatch_102
===============================================
Root cause location:
User has a jsonp call to enterprise, which will invalidate the session when done.
http://enterprise.qbao.com/api/merchant/shop/getRecommendShops.html?jsonpCallback=success_jsonpCallback&userId=100002&pageSize=30&_=1465285635665
2016/6/7 15:54:22
Everyday up 2016/6/7 15:54:22
<filter>
<filter-name>InvalideAPISessionFilter</filter-name>
<filter-class>com.enterprise.web.filter.InvalideAPISessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>InvalideAPISessionFilter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
public class InvalideAPISessionFilter implements Filter{
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
@Override
public void doFilter(ServletRequest requset, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(requset, response);
if(requset instanceof HttpServletRequest){
HttpServletRequest req = (HttpServletRequest) requset;
req.getSession().invalidate();
}
}
}
The API interface of enterprise will automatically invalidate the session to prevent memory leakage caused by session management.
When the new employee maintained the code, he accidentally changed the interface to jsonp, which caused the User interface to cause problems with enterprise