hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Williams" <william...@gmail.com>
Subject Secure cookie not being set [was: Two-Way SSL Problem]
Date Mon, 12 Jan 2009 13:28:36 GMT
On Thu, Jan 8, 2009 at 3:03 PM, Tim Williams <williamstw@gmail.com> wrote:
> On Thu, Jan 8, 2009 at 2:28 PM, Tim Williams <williamstw@gmail.com> wrote:
>> On Thu, Jan 8, 2009 at 2:09 PM, Oleg Kalnichevski <olegk@apache.org> wrote:
>>> Tim Williams wrote:
>>>>
>>>> I'm using the MultiThreadedConnectionManager with HttpClient and 2-way
>>>> ssl similar to the example[1] and having problems.  The very first
>>>> request goes through and returns HTTP 200 Ok.  All subsequent requests
>>>> return HTTP 401.  This happens when I run this inside a webapp
>>>> deployed in either glassfish or tomcat.  However, if I take the same
>>>> code and run from within a simple driver "main" program, all calls to
>>>> that same server succeed with no problems.  Oddly enough, this only
>>>> happens when communicating with one particular Weblogic service -
>>>> other servers allow multiple calls with the same fetcher code just
>>>> fine.  Anyone have an idea what would make the first request go
>>>> through go through properly but not subsequent ones?
>>>>
>>>
>>> There is no way of telling without more details. Please post a wire log of
>>> the HTTP session to this list
>>>
>>> http://hc.apache.org/httpclient-3.x/logging.html
>>>
>>> Oleg
>>
>> Unfortunately, I'm unable to post logging data.  I have narrowed it
>> down to a "cookie" problem of some sort.  I've found that if I
>> manually take the "Set-Cookie" header from the initial request, store
>> it, then manually populate it on subsequent requests, all is well.  I
>> had that idea from this site[1] but I'm not sure whether the
>> configuration on the server-side (Weblogic) is just wrong or my
>> HttpClient configuration is wrong by not sending back both cookies on
>> subsequent requests.
>> Thanks,
>> --tim
>
> I've run the wire logging and it does appear that two Set-Cookies are
> coming in, one with JSESSIONID= and the other with
> _WL_AUTH_JSESSIONID=.  On subsequent requests, only the first,
> JSESSIONID, is on the outbound request.  Any ideas?

The _WL_AUTH_JSESSIONID is a 'secure' cookie and it is the one not
being sent. Weblogic uses both a regular cookie and secure cookie to
apparently allow you to seamlessly transition across http and https
sessions[1] which seems valid. I've tried sending as a
SINGLE_COOKIE_HEADER as well with no success.  I'm using v3.0.1 and
RFC2109 btw.  Any ideas for what to look at?
Thanks,
--tim

[1] - http://e-docs.bea.com/wls/docs81/security/thin_client.html#1039551

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message