Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 40336 invoked by uid 500); 11 Oct 2001 16:12:57 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: tomcat-dev@jakarta.apache.org Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 40326 invoked from network); 11 Oct 2001 16:12:57 -0000 Date: Thu, 11 Oct 2001 02:12:48 -0700 (PDT) From: X-X-Sender: To: Tomcat-Dev Subject: Re: [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to many clients during session creation ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Hi Hans, Could you turn on the debugging on SessionIdGenerator ? Are you using Linux or Solaris ? You should see "Generate new sessionid" for each request - and all session ids to be different. The random generator uses time and ( if available ) /dev/random - I can't see how it would have the same id. Costin On Thu, 11 Oct 2001, Hans Schmid wrote: > Hi developers, > > 1.) First a note about an unanswered observation from the mailing list > archive: > we are experiencing exactly the same behaviour with Tomcat 3.3-rc1 > with mod_jk AJP1.3 Apache 1.3.19(Solaris 8 Sparc) when using SSL as > described below. > Thats why we had to changed to noCookies="false" /> > > 2.) > What we see using > seems to result sometimes in weird behavior in a different area as well: > > Beeing in one Browser and entering data may cause this data to be > displayed on a different Browser on a different machine. (Same Application!) > We can not reproduce this every time but it happens way too often. > This is very critical. > > 3.) > How to reproduce this (may be): > > We see the same sessionid appended to both URLs. > This can be best reproduced by opening 2 Browsers, starting Tomcat and > starting our Webapp in every Browser shortly after the other. > (We are using Toplink which reads a huge XMLDescriptor file the first time > it gets invoked. So we have the chance to start the request in the second > Browser before the first page gets delivered) > > As long as you start the request in the second Browser before the request > in the first Browser was finished (page delivered) you get the same > jsessionid > in the URL or the delivered page > >

action="/einsurance/doShowStartPage.do;jsessionid=clkam0vi31"> > > > > Using curl tool on solaris we see the following: > > root@zeus[/u/www/INT/einsurance/logs]% curl --help > curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b) > Usage: curl [options...] > Options: (H) means HTTP/HTTPS only, (F) means FTP only > ... > > for i in 1 2 3 4 5 6 7 8 9 10 ; do for j in 1 2 3 4 5 6 7 8 9 10 ; do > curl -s 'http://myserver:8080/einsurance/doEntry.do?pid=ph&b2bid=1&cpid=1' | > grep jsessionid & done; done > curl.out > > > I would expect a new sessionid delivered for every curl process requesting > our entry page, but see the result: > The same sessionid gets delivered many times see the lines marked with > <----- > > > ... > [306] 14992 > [307] 14994 > [308] 14996 > [309] 14998 > [310] 15000 > [311] 15002 > [312] 15004 > [313] 15006 > [314] 15008 > [315] 15010 > [316] 15012 > [317] 15014 > [318] 15016 > [319] 15018 > [320] 15020 > action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1"> <----- > [321] 15022 > [322] 15024 > [323] 15026 > action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=c0upt7urm5"> > action="/einsurance/doShowStartPage.do;jsessionid=elbj0xurm6"> > action="/einsurance/doShowStartPage.do;jsessionid=hhp68surmb"> > action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma"> > action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma"> > action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7"> > action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7"> > action="/einsurance/doShowStartPage.do;jsessionid=j7gnguurmk"> > action="/einsurance/doShowStartPage.do;jsessionid=h2o8wlurmh"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <----- > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> > action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh"> > action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh"> > > > > This is really strange. > > Should I file a bug about this? > > > > Any Ideas? > > Thanks and sorry for the long mail, > Hans Schmid > > einsurance Agency AG > Information Technology > Bayerstra�e 33 > 80335 M�nchen > > Tel: +49-89-55292- 860 > Fax: +49-89-55292- 855 > > eMail: Hans.Schmid@einsurance.de > http://www.einsurance.de > > > > > > > > Hello, > > Noone seems to be able to answer this question (posted > by other people) on the user's list, so I'm hoping > eomeone on the dev list will be able to. > > I am running Apache 1.3.20 (w/ open ssl), > JDK 1.3, J2EE1.2.1 and Tomcat 3.2.3. > > Session management works great with cookies, both > across HTTP and HTTPS. However, as soon as I turn > cookies off, and use URL rewriting instead... URL > rewriting ceases to work for HTTPS links (but still > works fine on HTTP links) when I view the page under > HTTP. Also, NOTHING is URL rewritten when the request > was under HTTPS. > > I created a test page that displays > request.getRequestedSessionId(), > request.isRequestedSessionIdFromURL() and > request.isRequestedSessionIdValid(). After clicking > on a link on this test page that is a URL encoded > link back to itself, I have an appended ;jsessionid on > my HTTP request. All URL encoded HTTP links ARE URL > encoded with the same session id, BUT none of the same > (but in HTTPS) links are. getRequestedSessionId() > shows the correct session id, > isRequestedSessionIdFromURL() shows True, and > isRequestedSessionIdValid() is True. > > Now, when I manually change the URL (WITH appended > session ID) to HTTPS, NONE of the links are URL Encoded > (http OR https). However, getRequestedSessionId() STILL > shows the correct session id, > isRequestedSessionIdFromURL() STILL shows True, and > isRequestedSessionIdValid() STILL is True. > > So I seem to be having two problems. #1) REGARDLESS of > protocol, HTTPS links are NEVER URL Encoded. #2) Though > HTTP links ARE URL Encoded when my request is in HTTP, > they ARE NOT URL Encoded when my request is in HTTPS. > > Can someone shed some light on what is going on here? I > know (because of displaying getRequestedSessionId(), > isRequestedSessionIdFromURL() and > isRequestedSessionIDValid()) that my JSP page is getting > all of the session information back, but it seems as if > Tomcat doesn't know how to URL Encode properly for HTTPS > links OR HTTPS requests. > > Thanks in advance!! > Raiden Johnson > > p.s. I just upgraded to Tomcat 3.2.3, because I was having > the same problem in 3.2.2 > > Hans Schmid > > einsurance Agency AG > Information Technology > Bayerstra�e 33 > 80335 M�nchen > > Tel: +49-89-55292- 860 > Fax: +49-89-55292- 855 > > eMail: Hans.Schmid@einsurance.de > http://www.einsurance.de > Here is what we can reproduce: > > > > root@zeus[/u/www/INT/einsurance/logs]% curl --help > curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b) > Usage: curl [options...] > > > > > > > > > > > > > > > > > > > > > > > > Hans Schmid > > einsurance Agency AG > Information Technology > Bayerstra�e 33 > 80335 M�nchen > > Tel: +49-89-55292- 860 > Fax: +49-89-55292- 855 > > eMail: Hans.Schmid@einsurance.de > http://www.einsurance.de >