tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hans Schmid" <Hans.Sch...@einsurance.de>
Subject [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to many clients during session creation ?
Date Thu, 11 Oct 2001 15:20:39 GMT
Hi developers,

1.) First a note about an unanswered observation from the mailing list
archive:
we are experiencing exactly the same behaviour with Tomcat 3.3-rc1
with mod_jk AJP1.3 Apache 1.3.19(Solaris 8 Sparc) when using SSL as
described below.
Thats why we had to changed to <SessionId cookiesFirst="true"
noCookies="false" />

2.)
What we see using  <SessionId cookiesFirst="false" noCookies="true" />
seems to result sometimes in weird behavior in a different area as well:

Beeing in one Browser and entering data may cause this data to be
displayed on a different Browser on a different machine. (Same Application!)
We can not reproduce this every time but it happens way too often.
This is very critical.

3.)
How to reproduce this (may be):

We see the same sessionid appended to both URLs.
This can be best reproduced by opening 2 Browsers, starting Tomcat and
starting our Webapp in every Browser shortly after the other.
(We are using Toplink which reads a huge XMLDescriptor file the first time
it gets invoked. So we have the chance to start the request in the second
Browser before the first page gets delivered)

As long as you start the request in the second Browser before the request
in the first Browser was finished (page delivered) you get the same
jsessionid
in the URL or the delivered page

<form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=clkam0vi31">



Using curl tool on solaris we see the following:

root@zeus[/u/www/INT/einsurance/logs]% curl --help
curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
Usage: curl [options...] <url>
Options: (H) means HTTP/HTTPS only, (F) means FTP only
...

for i in 1 2 3 4 5 6 7 8 9 10 ; do for j in 1 2 3 4 5 6 7 8 9 10 ; do
curl -s 'http://myserver:8080/einsurance/doEntry.do?pid=ph&b2bid=1&cpid=1' |
grep jsessionid &  done; done > curl.out


I would expect a new sessionid delivered for every curl process requesting
our entry page, but see the result:
The same sessionid gets delivered many times  see the lines marked with
<-----


...
[306] 14992
[307] 14994
[308] 14996
[309] 14998
[310] 15000
[311] 15002
[312] 15004
[313] 15006
[314] 15008
[315] 15010
[316] 15012
[317] 15014
[318] 15016
[319] 15018
[320] 15020
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1">      <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1">      <-----
[321] 15022
[322] 15024
[323] 15026
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3">       <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3">       <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=c0upt7urm5">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=elbj0xurm6">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=hhp68surmb">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=j7gnguurmk">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=h2o8wlurmh">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">       <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">       <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">       <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">       <-----
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh">
            <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh">



This is really strange.

Should I file a bug about this?



Any Ideas?

Thanks and sorry for the long mail,
Hans Schmid

einsurance Agency AG
Information Technology
Bayerstraße 33
80335 München

Tel: +49-89-55292- 860
Fax: +49-89-55292- 855

eMail: Hans.Schmid@einsurance.de
http://www.einsurance.de







Hello,

Noone seems to be able to answer this question (posted
by other people) on the user's list, so I'm hoping
eomeone on the dev list will be able to.

I am running Apache 1.3.20 (w/ open ssl),
JDK 1.3, J2EE1.2.1 and Tomcat 3.2.3.

Session management works great with cookies, both
across HTTP and HTTPS.  However, as soon as I turn
cookies off, and use URL rewriting instead... URL
rewriting ceases to work for HTTPS links (but still
works fine on HTTP links) when I view the page under
HTTP. Also, NOTHING is URL rewritten when the request
was under HTTPS.

I created a test page that displays
request.getRequestedSessionId(),
request.isRequestedSessionIdFromURL() and
request.isRequestedSessionIdValid().  After clicking
on a link on this test page that is a URL encoded
link back to itself, I have an appended ;jsessionid on
my HTTP request.  All URL encoded HTTP links ARE URL
encoded with the same session id, BUT none of the same
(but in HTTPS) links are.  getRequestedSessionId()
shows the correct session id,
isRequestedSessionIdFromURL() shows True, and
isRequestedSessionIdValid() is True.

Now, when I manually change the URL (WITH appended
session ID) to HTTPS, NONE of the links are URL Encoded
(http OR https).  However, getRequestedSessionId() STILL
shows the correct session id,
isRequestedSessionIdFromURL() STILL shows True, and
isRequestedSessionIdValid() STILL is True.

So I seem to be having two problems.  #1) REGARDLESS of
protocol, HTTPS links are NEVER URL Encoded.  #2) Though
HTTP links ARE URL Encoded when my request is in HTTP,
they ARE NOT URL Encoded when my request is in HTTPS.

Can someone shed some light on what is going on here?  I
know (because of displaying getRequestedSessionId(),
isRequestedSessionIdFromURL() and
isRequestedSessionIDValid()) that my JSP page is getting
all of the session information back, but it seems as if
Tomcat doesn't know how to URL Encode properly for HTTPS
links OR HTTPS requests.

Thanks in advance!!
Raiden Johnson

p.s. I just upgraded to Tomcat 3.2.3, because I was having
the same problem in 3.2.2

Hans Schmid

einsurance Agency AG
Information Technology
Bayerstraße 33
80335 München

Tel: +49-89-55292- 860
Fax: +49-89-55292- 855

eMail: Hans.Schmid@einsurance.de
http://www.einsurance.de
Here is what we can reproduce:



root@zeus[/u/www/INT/einsurance/logs]% curl --help
curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
Usage: curl [options...] <url>























Hans Schmid

einsurance Agency AG
Information Technology
Bayerstraße 33
80335 München

Tel: +49-89-55292- 860
Fax: +49-89-55292- 855

eMail: Hans.Schmid@einsurance.de
http://www.einsurance.de


Mime
View raw message