我有一个运行表单身份验证aspx页面内的Java小程序。在.NET 1.1的版本我的网站，该小程序可以访问会话cookie并且能够从服务器检索一个文件，但在.NET 2.0版本，它无法验证。

I have a Java applet that runs inside a forms-authenticated aspx page. In the .NET 1.1 version of my site, the applet has access to the session cookie and is able to retrieve a file from the server, but in the .NET 2.0 version it fails to authenticate.

我见过一对夫妇的论坛帖子其他地方状态2.0套cookies来的HttpOnly默认，但考虑到的解决方案并没有为我工作至今。我也读的地方，2.0可能是歧视基于用户代理。

I have seen a couple of forum posts elsewhere that state that 2.0 sets cookies to HttpOnly by default, but the solutions given haven't worked for me so far. I also read somewhere that 2.0 may be discriminating based on user-agent.

没有人有任何经验或见解呢？

Does anyone have any experience or insight into this?

推荐答案

这个问题是旧的，但我想这是有价值的在这里有正确的答案。

This question is old, but I figured it was valuable to have the correct answer here.

菲利普是混乱的服务器端Java与客户端Java。他是正确的，你不能在没有使用自定义的方式共享两个服务器端平台，如Java（J2EE）和ASP.Net之间的会话。

Filip is confusing server-side Java with client-side Java. He is correct that you cannot share sessions between two server-side platforms, such as Java (J2EE) and ASP.Net without using a custom approach.

然而，applets是客户端，因此，应该可以访问主机页的会话信息。问题是ASP.Net 2.0添加的HttpOnly标志上的会话cookie。访问这些cookie这个标志prevents JavaScript和Java小程序。

However, applets are client-side and therefore should be able to access the session information of the host page. The issue is that ASP.Net 2.0 added the HttpOnly flag on session cookies. This flag prevents JavaScript and Java applets from accessing these cookies.

解决方法是关闭的HttpOnly标志上的会话cookie。虽然你可能能够做到这一点在新版本ASP.Net的配置，在previous版本的解决办法是添加以下code到您的Global.asax文件：

The workaround is to turn off the HttpOnly flag on session cookies. While you may be able to do it in the configuration in newer versions of ASP.Net, in previous versions the solution was to add the following code to your Global.asax file:

protected void Application_EndRequest(object sender, EventArgs e)
{
    /**
    * @note Remove the HttpOnly attribute from session cookies, otherwise the 
    *      Java applet won't have access to the session. This solution taken
    *      from
    *      http://blogs.msdn.com/jorman/archive/2006/03/05/session-loss-after-migrating-to-asp-net-2-0.aspx
    *
    *      For more information on the HttpOnly attribute see:
    *
    *      http://msdn.microsoft.com/netframework/programming/breakingchanges/runtime/aspnet.aspx
    *      http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx
    */
    if (Response.Cookies.Count > 0)
    {
        foreach (string lName in Response.Cookies.AllKeys)
        {
            if (lName == FormsAuthentication.FormsCookieName || 
                lName.ToLower() == "asp.net_sessionid")
            {
                Response.Cookies[lName].HttpOnly = false;
            }
        }
    }
}

请注意，即使使用此修复程序，并不是所有的浏览器/操作系统/ Java的组合，可访问的cookies。我目前正在研究一个问题，会话cookie无法被访问在Firefox 4.0.1和Java 1.6.0_13在Windows XP上。

Note that even with this fix, not all browser/OS/Java combinations can access cookies. I'm currently researching an issue with session cookies not being accessible on Firefox 4.0.1 with Java 1.6.0_13 on Windows XP.

解决方法是使用的方法爸爸博士建议，在会话ID被传递到小程序的参数，然后或者被嵌入到请求URL（需要URL会在服务器端被打开配置）或发来的手工设置的cookie。

The workaround is to use the approach Dr. Dad suggested, where the session ID gets passed to the applet as a parameter, and then either gets embedded into the request URL (requires URL sessions to be turned on in the server-side configuration) or sent as a manually-set cookie.