tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hans Schmid" <Hans.Sch...@einsurance.de>
Subject [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to manyclients during session creation ?
Date Thu, 11 Oct 2001 17:43:09 GMT
Costin,

(I'm not subscribed here at work so I have to use an archive)


I am experiance this on Windows2000 SP2 (locally) as well as on Solaris 8
Here more details:

Thanks for the tip with the debugging set in SessionIdGenerator:

Starting Tomcat and requesting 2 Sessions from 2 Browsers as described
before:

2001-10-11 19:21:57 - Http10Interceptor: Starting on 8080
2001-10-11 19:21:57 - Ajp12Interceptor: Starting on 8007
EmbededTomcat: Startup time 60
2001-10-11 19:21:57 - Ajp13Interceptor: Starting on 8009
2001-10-11 19:22:03 - SessionIdGenerator: Created random class
java.util.Random
2001-10-11 19:22:03 - SessionIdGenerator: Generate new session id hmwxl5ysd1
2001-10-11 19:22:07 - SessionIdGenerator: Generate new session id slfjsuysf1


So We really get 2 different SessionIds!

But when I do a 'View Source' on my delivered page (2 times the same entry
point)
I see the following:

First browser (first request I would expect hmwxl5ysd1, the first generated
sessionid )


      <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=hmwxl5ysd1">

^^^^^^^^^^
		<table border="0" cellpadding="0" cellspacing="0" width="100%">
        <tbody>
          <tr>

Superb, correct, but:
Second browser (second request sent before first Browser delivered the page:

      <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=hmwxl5ysd1">

^^^^^^^^^^
		<table border="0" cellpadding="0" cellspacing="0" width="100%">
        <tbody>
          <tr>

And here we have again the first generated sessionid instead the second one
'slfjsuysf1'!

So it seems the SessionIds get generated correctly, but the first one gets
delivered to all output.
Just doublechecked wit 3 Browserd 2 IE5.5 and 1 Mozilla 0.9.5. Same result:
2001-10-11 19:38:00 - Http10Interceptor: Starting on 8080
2001-10-11 19:38:00 - Ajp12Interceptor: Starting on 8007
EmbededTomcat: Startup time 80
2001-10-11 19:38:00 - Ajp13Interceptor: Starting on 8009
2001-10-11 19:38:05 - SessionIdGenerator: Created random class
java.util.Random
2001-10-11 19:38:05 - SessionIdGenerator: Generate new session id nah9m4z5q1
2001-10-11 19:38:11 - SessionIdGenerator: Generate new session id ky0rmjz5t1
2001-10-11 19:38:15 - SessionIdGenerator: Generate new session id 351cc3z5v1


All three start pages show
      <form name="form1" method="post"
action="/einsurance/doShowStartPage.do;jsessionid=nah9m4z5q1">

always the first generated SessionId.


Thanks for looking into this. this is a major thing, I guess

Best regards,
Hans Schmid

einsurance Agency AG
Information Technology
Bayerstra├če 33
80335 M├╝nchen

Tel: +49-89-55292- 860
Fax: +49-89-55292- 855

eMail: Hans.Schmid@einsurance.de
http://www.einsurance.de



Hi Hans,

Could you turn on the debugging on SessionIdGenerator ? Are you using
Linux or Solaris ?

You should see "Generate new sessionid" for each request - and all session
ids to be different. The random generator uses time and ( if available )
/dev/random - I can't see how it would have the same id.

Costin

On Thu, 11 Oct 2001, Hans Schmid wrote:

> Hi developers,
>
> 1.) First a note about an unanswered observation from the mailing list
> archive:
> we are experiencing exactly the same behaviour with Tomcat 3.3-rc1
> with mod_jk AJP1.3 Apache 1.3.19(Solaris 8 Sparc) when using SSL as
> described below.
> Thats why we had to changed to <SessionId cookiesFirst="true"
> noCookies="false" />
>
> 2.)
> What we see using  <SessionId cookiesFirst="false" noCookies="true" />
> seems to result sometimes in weird behavior in a different area as well:
>
> Beeing in one Browser and entering data may cause this data to be
> displayed on a different Browser on a different machine. (Same
Application!)
> We can not reproduce this every time but it happens way too often.
> This is very critical.
>
> 3.)
> How to reproduce this (may be):
>
> We see the same sessionid appended to both URLs.
> This can be best reproduced by opening 2 Browsers, starting Tomcat and
> starting our Webapp in every Browser shortly after the other.
> (We are using Toplink which reads a huge XMLDescriptor file the first time
> it gets invoked. So we have the chance to start the request in the second
> Browser before the first page gets delivered)
>
> As long as you start the request in the second Browser before the request
> in the first Browser was finished (page delivered) you get the same
> jsessionid
> in the URL or the delivered page
>
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=clkam0vi31">
>
>
>
> Using curl tool on solaris we see the following:
>
> root@zeus[/u/www/INT/einsurance/logs]% curl --help
> curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
> Usage: curl [options...] <url>
> Options: (H) means HTTP/HTTPS only, (F) means FTP only
> ...
>
> for i in 1 2 3 4 5 6 7 8 9 10 ; do for j in 1 2 3 4 5 6 7 8 9 10 ; do
> curl -s 'http://myserver:8080/einsurance/doEntry.do?pid=ph&b2bid=1&cpid=1'
|
> grep jsessionid &  done; done > curl.out
>
>
> I would expect a new sessionid delivered for every curl process requesting
> our entry page, but see the result:
> The same sessionid gets delivered many times  see the lines marked with
> <-----


Mime
View raw message