tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ignacio J. Ortega" <na...@siapi.es>
Subject RE: [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to many c lients during session creation ?
Date Thu, 11 Oct 2001 16:52:14 GMT
A workaround for the useCookies under Apache+mod_ssl is to activate the
support for SSL in tomcat that is installing JSSE and uncommentting the
appopiate line in server.xml..

Hope that help, is not nice but will make work noCookies sessions in
your config..

Saludos ,
Ignacio J. Ortega


> -----Mensaje original-----
> De: Hans Schmid [mailto:Hans.Schmid@einsurance.de]
> Enviado el: jueves 11 de octubre de 2001 17:21
> Para: Tomcat-Dev
> Asunto: [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to many
> clients during session creation ?
> 
> 
> Hi developers,
> 
> 1.) First a note about an unanswered observation from the mailing list
> archive:
> we are experiencing exactly the same behaviour with Tomcat 3.3-rc1
> with mod_jk AJP1.3 Apache 1.3.19(Solaris 8 Sparc) when using SSL as
> described below.
> Thats why we had to changed to <SessionId cookiesFirst="true"
> noCookies="false" />
> 
> 2.)
> What we see using  <SessionId cookiesFirst="false" noCookies="true" />
> seems to result sometimes in weird behavior in a different 
> area as well:
> 
> Beeing in one Browser and entering data may cause this data to be
> displayed on a different Browser on a different machine. 
> (Same Application!)
> We can not reproduce this every time but it happens way too often.
> This is very critical.
> 
> 3.)
> How to reproduce this (may be):
> 
> We see the same sessionid appended to both URLs.
> This can be best reproduced by opening 2 Browsers, starting Tomcat and
> starting our Webapp in every Browser shortly after the other.
> (We are using Toplink which reads a huge XMLDescriptor file 
> the first time
> it gets invoked. So we have the chance to start the request 
> in the second
> Browser before the first page gets delivered)
> 
> As long as you start the request in the second Browser before 
> the request
> in the first Browser was finished (page delivered) you get the same
> jsessionid
> in the URL or the delivered page
> 
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=clkam0vi31">
> 
> 
> 
> Using curl tool on solaris we see the following:
> 
> root@zeus[/u/www/INT/einsurance/logs]% curl --help
> curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
> Usage: curl [options...] <url>
> Options: (H) means HTTP/HTTPS only, (F) means FTP only
> ...
> 
> for i in 1 2 3 4 5 6 7 8 9 10 ; do for j in 1 2 3 4 5 6 7 8 9 10 ; do
> curl -s 
> 'http://myserver:8080/einsurance/doEntry.do?pid=ph&b2bid=1&cpid=1' |
> grep jsessionid &  done; done > curl.out
> 
> 
> I would expect a new sessionid delivered for every curl 
> process requesting
> our entry page, but see the result:
> The same sessionid gets delivered many times  see the lines 
> marked with
> <-----
> 
> 
> ...
> [306] 14992
> [307] 14994
> [308] 14996
> [309] 14998
> [310] 15000
> [311] 15002
> [312] 15004
> [313] 15006
> [314] 15008
> [315] 15010
> [316] 15012
> [317] 15014
> [318] 15016
> [319] 15018
> [320] 15020
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1">
>       <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1">
>       <-----
> [321] 15022
> [322] 15024
> [323] 15026
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3">
>        <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3">
>        <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=c0upt7urm5">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=elbj0xurm6">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=hhp68surmb">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=j7gnguurmk">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=h2o8wlurmh">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>        <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>        <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>        <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>        <-----
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh">
>             <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh">
> 
> 
> 
> This is really strange.
> 
> Should I file a bug about this?
> 
> 
> 
> Any Ideas?
> 
> Thanks and sorry for the long mail,
> Hans Schmid
> 
> einsurance Agency AG
> Information Technology
> Bayerstraße 33
> 80335 München
> 
> Tel: +49-89-55292- 860
> Fax: +49-89-55292- 855
> 
> eMail: Hans.Schmid@einsurance.de
> http://www.einsurance.de
> 
> 
> 
> 
> 
> 
> 
> Hello,
> 
> Noone seems to be able to answer this question (posted
> by other people) on the user's list, so I'm hoping
> eomeone on the dev list will be able to.
> 
> I am running Apache 1.3.20 (w/ open ssl),
> JDK 1.3, J2EE1.2.1 and Tomcat 3.2.3.
> 
> Session management works great with cookies, both
> across HTTP and HTTPS.  However, as soon as I turn
> cookies off, and use URL rewriting instead... URL
> rewriting ceases to work for HTTPS links (but still
> works fine on HTTP links) when I view the page under
> HTTP. Also, NOTHING is URL rewritten when the request
> was under HTTPS.
> 
> I created a test page that displays
> request.getRequestedSessionId(),
> request.isRequestedSessionIdFromURL() and
> request.isRequestedSessionIdValid().  After clicking
> on a link on this test page that is a URL encoded
> link back to itself, I have an appended ;jsessionid on
> my HTTP request.  All URL encoded HTTP links ARE URL
> encoded with the same session id, BUT none of the same
> (but in HTTPS) links are.  getRequestedSessionId()
> shows the correct session id,
> isRequestedSessionIdFromURL() shows True, and
> isRequestedSessionIdValid() is True.
> 
> Now, when I manually change the URL (WITH appended
> session ID) to HTTPS, NONE of the links are URL Encoded
> (http OR https).  However, getRequestedSessionId() STILL
> shows the correct session id,
> isRequestedSessionIdFromURL() STILL shows True, and
> isRequestedSessionIdValid() STILL is True.
> 
> So I seem to be having two problems.  #1) REGARDLESS of
> protocol, HTTPS links are NEVER URL Encoded.  #2) Though
> HTTP links ARE URL Encoded when my request is in HTTP,
> they ARE NOT URL Encoded when my request is in HTTPS.
> 
> Can someone shed some light on what is going on here?  I
> know (because of displaying getRequestedSessionId(),
> isRequestedSessionIdFromURL() and
> isRequestedSessionIDValid()) that my JSP page is getting
> all of the session information back, but it seems as if
> Tomcat doesn't know how to URL Encode properly for HTTPS
> links OR HTTPS requests.
> 
> Thanks in advance!!
> Raiden Johnson
> 
> p.s. I just upgraded to Tomcat 3.2.3, because I was having
> the same problem in 3.2.2
> 
> Hans Schmid
> 
> einsurance Agency AG
> Information Technology
> Bayerstraße 33
> 80335 München
> 
> Tel: +49-89-55292- 860
> Fax: +49-89-55292- 855
> 
> eMail: Hans.Schmid@einsurance.de
> http://www.einsurance.de
> Here is what we can reproduce:
> 
> 
> 
> root@zeus[/u/www/INT/einsurance/logs]% curl --help
> curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
> Usage: curl [options...] <url>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Hans Schmid
> 
> einsurance Agency AG
> Information Technology
> Bayerstraße 33
> 80335 München
> 
> Tel: +49-89-55292- 860
> Fax: +49-89-55292- 855
> 
> eMail: Hans.Schmid@einsurance.de
> http://www.einsurance.de
> 
> 

Mime
View raw message