tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Session problem -- sessions being recreated, browser related?
Date Wed, 04 Apr 2001 01:30:07 GMT

On Tue, 3 Apr 2001, Milt Epstein wrote:

> On a servlet-based application I have, I'm getting sporadic reports of
> problems from users.  The symptoms are similar to what happens when
> cookies are disabled (but they aren't, because I had the users check).
> Basically, they can't get past the front page of the application,
> because it won't let them without a valid session (recall that session
> access is handled via cookies -- I'm not using URL Rewriting).  And
> each time they try, Tomcat is creating a new session for them (and
> giving them a new cookie).  Apparently, it's not recognizing the
> existing session.
> Now, this is only happening to a small subset of the users.  I haven't
> isolated a pattern yet, but it may only be happening from certain
> machines.  And the couple of machines I have found the problem on so
> far are both using Internet Explorer version 4.0.  So that might be a
> factor.  (I don't have 4.0 myself, but I did find an old copy of 3.02,
> and it works OK with that.)
> Oh, a bit of background -- we switched over from using Netscape
> Enterprise Server and ServletExec to Apache/Tomcat a couple of weeks
> ago, and the problem seems to have only started occurring since then.
> So it does appear to be something Apache/Tomcat-specific.

One potential behavior difference might be in how the session cookies are
generated.  Tomcat sets the path of the cookie to be equal to the context
path of the web application to which this cookie belongs -- I don't know
if NES and ServletExec do that.  If they don't, you might see the same
session cookie come back in on a URL that is not really part of the same
webapp, where that would *not* happen with Tomcat.

A potential client-side issue can happen if you have two context paths
with one being the proper prefix of another (i.e. "/foo" and
"/foo/bar" both being webapps).  If a user has sessions in both, then
*two* session cookies will be included on requests received by the
/foo/bar webapp.  Tomcat relies on the client to follow the RFC rules and
list the cookie for the longer path first (since there is no other way to
distinguish the two).  You might want to put a network trace on and make
sure your clients really do that, if you have webapps like this.

> Thanks.
> Milt Epstein
> Research Programmer
> Software/Systems Development Group
> Computing and Communications Services Office (CCSO)
> University of Illinois at Urbana-Champaign (UIUC)
Craig McClanahan

View raw message