httponly cookies enabled communication error applet to servlet

问题

We have a issue with an application running under Websphere 6.1.0.31 with the HTTPOnlyCookies setting enabled. The issue is with an Applet that makes a connection via HttpURLConnection to a Servlet. The Applet is passed the JSESSION ID from the JSP page by parameters. In the HttpURLConnect call we set the Cookie header and include the JSESSION ID. The Servlet does not use the cookie passed and will create a new session and cause an error. With HTTPOnlyCookies disabled, this works without any errors. The setting is (com.ibm.ws.webcontainer.HTTPOnlyCookies=*).

Below is changed code to show how we are doing this task. I have only altered the code to remove any information related to the project, as this is in a production software.

    // The Applet
    public class TheApplet extends JApplet {
        private String servletURL;
        private String sessionId;

        public void init() {
            this.sessionId = getParameter(SESSION_ID_PARAM);
            this.servletURL = "https://THEURL/CONTEXT/TheServlet.do?params=params";
        }

        public void start () {
            Thread t = new Thread(new Runnable() {
                public void run() {
                    HttpClient httpClient = new HttpClient(this.servletURL, this.sessionId);
                    Map theMap = httpClient.getData();
                }
            });
            t.start();
        }
    }

    public class HttpClient {
        public Map getData() {
            ObjectInputStream ois = doGet(this.servletURL, this.sessionId);

            /*
            ... Process return .. error happens before processing
            */
        }

        private ObjectInputStream doGet(String servletURL, String sessionId) {
            URL url = new URL(servletURL);
            HttpURLConnection httpConn = (HttpURLConnection)url.openConnection();
            httpConn.setDoInput (true);
            httpConn.setDoOutput (true);
            httpConn.setRequestProperty("Cookie", "JSESSIONID="+sessionId);
            httpConn.setUseCaches (true);

            return new ObjectInputStream (httpConn.getInputStream ());
        }
    }


    // The Servlet
    // Struts 1.2.9
    import org.apache.struts.actions.DispatchAction;
    public class TheServletAction extends DispatchAction {
        public ActionForward performGetData(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) {
            Map theMap = new HashMap();
            /*
            ... db call and build Map
            */
            TheResponseWriter.writeObjectIntoResponse(theMap, response);
        }
    }

    public class TheResponseWriter {
        public static void writeObjectIntoResponse(Object oObjToWrite, HttpServletResponse response) {
            ServletOutputStream out = response.getOutputStream();
            ObjectOutputStream oos = new ObjectOutputStream(out);
            response.setContentType("application/octet-stream");
            oos.writeObject(oObjToWrite);
            oos.flush();
            oss.close();
            out.close();
        }
    }

Below is the error I see in the Java Console trace file of from the applet. Again only changing small information, I also noticed in the WASReqURL it did not have the 'host name'

    network: Cache entry not found [url: https://THEURL/CONTEXT/TheServlet.do?params=params, version: null]
    network: Connecting https://THEURL/CONTEXT/TheServlet.do?params=params with proxy=DIRECT
    network: Connecting socket://THEURL:443 with proxy=DIRECT
    network: Server https://THEURL/CONTEXT/TheServlet.do?params=params requesting to set-cookie with "WASReqURL=https:///CONTEXT/TheServlet.do?params=params; HTTPOnly; Path=/"
    network: Cache entry not found [url: https://THEURL/CONTEXT/index.jsp, version: null]
    network: Connecting https://THEURL/CONTEXT/index.jsp with proxy=DIRECT
    network: Connecting socket://THEURL:443 with proxy=DIRECT
    network: Server https://THEURL/CONTEXT/index.jsp requesting to set-cookie with "JSESSIONID=; HTTPOnly; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Domain=THEURL"
    network: Server https://THEURL/CONTEXT/index.jsp requesting to set-cookie with "JSESSIONID=dfdsfdsafds3q32-sad9287287:163bb19cr; HTTPOnly; Path=/"
    - Wed Dec 14 09:05:58 EST 2011 - ERROR - Thread-8 - com.the.package.HttpClient - java.io.StreamCorruptedException: invalid stream header: 0A0A0A0A

Thank you for any help, and please let me know of any further information you may need to assist. I am not able to find anything that helps at all.

_ Adding further details

In production the line (httpConn.setRequestProperty("Cookie", "JSESSIONID="+sessionId); ) isn't even there, and the process works fine. But our client wants to enable the httpOnly setting on their Websphere, but run into the applet not workings. I may have found the reason why passing the session isn't working. When looking at the cookie headers, I noticed that the JSESSIONID is different in the header than the one set as a param for the applet. Looking into that I found information about JSESSIONID format for cluster environments. https://www.ibm.com/developerworks/mydeveloperworks/blogs/Dougclectica/entry/websphere_session_ids22?lang=en , which is CacheID+SessionID+:+CloneID. Im in the process of trying to find out how I can get those values in the JSP page.

来源：https://stackoverflow.com/questions/8528926/httponly-cookies-enabled-communication-error-applet-to-servlet