hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: can I NOT have the cookie please
Date Tue, 08 Aug 2006 10:08:02 GMT
On Tue, 2006-08-08 at 17:41 +0800, leung cc wrote:
> This is actually a problem that arised after I went about solving my applet 
> + commons-httpclient -> https + client cert problem taking advice from Oleg 
> and others here. Well, I customized Oleg's AuthSSLProtocolSocketFactory and 
> succeeded in making a connection to the servlet in my applet. But it 
> appearedthat httpclient was sending a cookie of unknown origin to the 
> servlet and that caused the servlet to not recognize the session which the 
> applet was supposed to be part of. 

Unless evil green men took over your servlet engine there should be no
cookies of unknown origin. 

> So I changed to method to Get (was using 
> Post) and tried to advise the servlet of the correction session by adding 
> "JSESSIONID=..." to the URL. I thought setting the cookie policy would have 
> stopped httpclient from sending any cookies but I was wrong and so I added 
> the setRequestHeader() call too (right, was shooting in the dark) but that 
> didn't seem to improve it.
> 
> GetMethod rqst = new GetMethod( "ccs" + Constants.APP_HOME_URL_PFX +
>          "/GiveLotOrCPCInfoAlt.jsp?JSESSIONID=" + this.httpSessId +
>          "&qkt=" + qryKeyType +
>          "&qk=" + URLEncoder.encode( psLotNum ) +
>          "&ak=" + URLEncoder.encode( acsKey ) );
> 
>       rqst.getParams().setCookiePolicy( CookiePolicy.IGNORE_COOKIES );

Try setting the cookie policy on the host or the client level and see if
that makes a difference.

http://jakarta.apache.org/commons/httpclient/preference-api.html

>       rqst.setRequestHeader( "Set-Cookie",
>                              "JSESSIONID=" + this.httpSessId +
>                              "; Path=/whatever; Secure" );  // HC
> 

This is wrong. At the very list the header name should be "Cookie".
Besides you'll be much better off if you left cookie management to one
of the HttpClient's cookie specs.

> Now, my questions are:
> 
> 1. My servlet side is arranged with apache in the forefront and tomcat at 
> the back, so maybe tomcat isn't seeing the jsessionid info and I should 
> tell Apache rather than tomcat what the session I want?  If this isn't 
> clear, let me say this: in my case apache is our webserver which is 
> listening for both http and https requests and tomcat only runs the jsp 
> programs - although tomcat can serve as a webserver, we are NOT using that 
> functionality of its.
> 

Per default Apache HTTP server should not mess around with session
cookies. If your browser can maintain sessions when accessing the web
app hosted in Tomcat, so could HttpClient.

> Now, how does one tell apache the session id on the URL (not cookie)?
> 
> 2. What's the "Set-Cookie" header?  How is it different from the "Cookie" 
> header?
> 

See http://rfc.net/rfc2109.html

> 3. Httpclient is sending a cookie that contained the desired session id to 
> the server, where did it get the idea of the session id from? The webpage 
> where my applet is contained has a different session id, which I tried 
> totell the servlet with the "jsessionid=..." parameter to the URL.
> 

Just stick the session cookie obtained from the browser into HttpState
prior to executing requests which you would like to be associated with
that session. If you fail to do so, the servlet engine will initiate a
new session for those request.

> And I wonder if any authors/contributors of httpclient can be bothered to 
> look into the possibility of smoothly deploying httpclient in an applet - 
> you know, where the user (ok, us programmers) don't have to worry about 
> session, certs and things like that.  I can't see Oleg being interested 
> because he told me he'd avoid applets, too bad. :(
> 

The problem you are having has nothing to do with applets. Just fix your
session management code and you'll be fine

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message