前言

         废话不多说，昨天是实现同源部署返回不同cookie，现在是核心，就是一个浏览器同时登录，客户端、运营端同时正常使用。

---

一、核心实现

         核心实现实际上就是自定义HttpSessionIdResolver处理sessionid解析，上一篇博文已实现，地址：同源部署自定义sessionId解析器设置不同名称cookie

二、实现双登正常使用

         其实就是自定义的HttpSessionIdResolver的MyHttpSessionIdResolver里的一个resolveSessionIds方法修改下，再前端传参配合下。

1.具体代码

代码如下（示例）：

import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.StrUtil;
import com.easylinkin.security.context.LinkappUserContextProducer;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.session.web.http.CookieHttpSessionIdResolver;
import org.springframework.session.web.http.DefaultCookieSerializer;
import org.springframework.session.web.http.HttpSessionIdResolver;import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Collections;
import java.util.List;/*** 自定义SessionId解析器** @author zhengwen*/
@Slf4j
//@Service("httpSessionIdResolver")
public class MyHttpSessionIdResolver implements HttpSessionIdResolver {@Resourceprivate LinkappUserContextProducer linkappUserContextProducer;/*** CookieName默认名称*/public static final String CookieName = "LINKAPP_SESSION_ID";/*** sessionIdName*/private String sessionIdName = CookieName;/*** cookieHttpSessionIdResolver*/private CookieHttpSessionIdResolver cookieHttpSessionIdResolver;/*** 构造函数*/public MyHttpSessionIdResolver() {initCookieHttpSessionIdResolver();}/*** 构造函数** @param sessionIdName sessionIdName*/public MyHttpSessionIdResolver(String sessionIdName) {this.sessionIdName = sessionIdName;initCookieHttpSessionIdResolver();}/*** 初始化cookieHttpSessionIdResolver*/public void initCookieHttpSessionIdResolver() {this.cookieHttpSessionIdResolver = new CookieHttpSessionIdResolver();DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();cookieSerializer.setCookieName(this.sessionIdName);this.cookieHttpSessionIdResolver.setCookieSerializer(cookieSerializer);}@Overridepublic List<String> resolveSessionIds(HttpServletRequest request) {String source = request.getHeader("source");if (StringUtils.isNotBlank(source)) {//这个里面的是核心，就是处理双登后，session会话请求接口时处理对应sessionId返回，让可以进行下一个方法setSessionId()String reqSessionId = request.getHeader(source);return (reqSessionId != null) ? Collections.singletonList(reqSessionId) : Collections.emptyList();} else {// cookieList<String> cookies = cookieHttpSessionIdResolver.resolveSessionIds(request);if (CollUtil.isNotEmpty(cookies)) {return cookies;}// headerString headerValue = request.getHeader(this.sessionIdName);if (StrUtil.isNotBlank(headerValue)) {return Collections.singletonList(headerValue);}// request parameterString sessionId = request.getParameter(this.sessionIdName);return (sessionId != null) ? Collections.singletonList(sessionId) : Collections.emptyList();}}@Overridepublic void setSessionId(HttpServletRequest request, HttpServletResponse response, String sessionId) {log.info(CookieName + "={}", sessionId);String source = request.getHeader("source");if (StrUtil.isNotBlank(source)) {this.sessionIdName = source;initCookieHttpSessionIdResolver();response.setHeader(source, sessionId);} else {response.setHeader(this.sessionIdName, sessionId);}this.cookieHttpSessionIdResolver.setSessionId(request, response, sessionId);}@Overridepublic void expireSession(HttpServletRequest request, HttpServletResponse response) {response.setHeader(this.sessionIdName, "");this.cookieHttpSessionIdResolver.setSessionId(request, response, "");}
}

         还需要的配合就是，登录接口从response的Header里取到sessionId，然后后面所有的接口请求都需要携带，例如：

         source是前端固化的终端标识，我们另一个终端的标识就是admin。
         下面的aep：198ced13-f21d-4ad5-b80b-edf09e983361就是从登录接口返回的response的header里获取的（同样是key代表返回的终端标识，值就是sessionId）
         这个sessionId其实也没有什么好神秘的，也就是跟cookie值是base64加密解密关系。

         后面其实可以增加sessionId、cookie、终端，3个维度校验，验证传参与终端一致。

总结

• cookie、session会话关系要清楚理解（理解不清这一切不可为）
• security安全机制还是很强悍的
           好，就写到这里希望可以帮到大家，uping