tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Ruthenbeck <>
Subject Sessions and proxies (Split From: Tomcat 4 losing session (may be related to Win XP))
Date Thu, 06 Nov 2003 19:24:39 GMT

>Thanks for the reply, don't want to hijack the thread.

The list thanks you for your courtesy.  :)  This is now in it's own thread.

>I don't think it's a question of cached pages, but proxyserver does seem 
>be doing something.  The first page is a login, and when it's submitted, 
>request passes a query string that calls the servlet.  Servlet creates a 
>session and I can see a new cookie containing JSESSIONID.  The servlet 
>displays results from a db query.  Any further requests, whether to scroll
>the results, add new record, or view individual record causes the 
>servlet to
>create a new session because request.getSession(true) is called and 
>find the cookie in the request.  Accessing the web app from inside the 
>works okay.

I'm a bit unclear as to exactly what's happening, but I'll try anyways.

If Tomcat receives no JESSIONID or an invalid JSESSIONID, calling 
HttpServletRequest#getSession(true) will create a new HttpSession with a 
new sessionId.  This is why you're seeing each request have a different 
sessionId in your logs.

At 08:44 AM 11/6/2003, you wrote:
>How would I do that?  Add to the query string?

You can either go about trying to patch your app together by appending 
values to query strings and the like, or you can put in the effort to get 
it working right (can you tell I'm biased towards the later?).

You mentioned that you tested the app from behind the proxy and it worked 
correctly.  The next question is, if you look at the responses from in 
front of the proxy, are they still correct?  The working theory is that 
they won't be, but you won't really know until you have Http message 
examples from both in front and behind the proxy.  Like I said before, 
setup a simple http proxy (these are *really* simple to use) to log your 
http messages.  Check out the cookies and params being sent back and 
forth.  Once you've proven that your proxy is messing with the 
JSESSIONID, figure out how to fix it.

That's the robust, permanent solution.



>-----Original Message-----
>From: Phillip Qin []
>Sent: Thursday, November 06, 2003 8:55 AM
>To: 'Tomcat Users List'
>Subject: RE: Tomcat 4 losing session (may be related to Win XP)
>Have you tried to append jsessionid?
>-----Original Message-----
>From: Justin Ruthenbeck []
>Sent: November 5, 2003 9:32 PM
>To: Tomcat Users List
>Subject: RE: Tomcat 4 losing session (may be related to Win XP)
>At 04:14 PM 11/5/2003, you wrote:
> >I've been pulling hair out for several days with what turns out to be 
> the
> >same problem, except it's occurring on a Windows 2000 Server running 
> >5.0
> >and Tomcat 4.1.24.  The logs show that the first request to a servlet 
> done
> >via POST gets a different session id than the follow-on request via 
> GET to
> >the same servlet, same URL.
> >The same app works fine on another Win2K server running Apache.  The one
> >that doesn't work is behind a proxy server doing proxypassdir's to map 
> a
> >URL
> >to an internal IP.  Could this be the problem, or is it an IIS thing?
>If you really want to see what's happening, put your own proxy between
>the client and the first server on your backend (I use zproxy -- google
>for it) to look at the http messages going back and forth.  Check the
>response that you're getting from Tomcat and note the JSESSIONID provided
>after the first call.  See what JSESSIONID the client machine sends
>back.  You can put the same proxy (or any http-level sniffer) between any
>of the servers and see who's passing what.
>If you've established that Tomcat is receiving two different sessionId
>values, then you can be sure there's a mixup somewhere else (and the more
>hands you've got in the cookie jar, the more chances someone else is
>screwing things up).
> >Wendell Holmes
> >-----Original Message-----
> >From: Justin Ruthenbeck []
> >Sent: Wednesday, November 05, 2003 4:25 PM
> >To: Tomcat Users List
> >Subject: Re: Tomcat 4 losing session (may be related to Win XP)
> >
> >
> >
> >Are the sessions the same between the two calls?  That is, when you call
> >HttpSession#getId() for each of them do you get the same id back?
> >
> >justin
> >
> >At 02:27 PM 11/5/2003, you wrote:
> > >Hi all,
> > >
> > >I've come across a situation I can't figure out and I'm wondering if 
> it
> > >has to do with the fact that this is the first time we've installed
> > >Tomcat on Windows XP Prof.
> > >
> > >Symptom: Tomcat loses session.  If you set up a very simple two JSP
> > >process where page 1 stuffs (setAttribute) something into the session,
> > >and page 2 displays it, the value comes back as null
> > >
> > >Tests: if I copy the two JSPs to the examples directory included in 
> the
> > >Tomcat distribution, the pages perform properly.  If I create my own
> > >context and execute the pages from there, the getAttribute returns 
> null.
> > >
> > >I created the context by duplicating the context in the server.xml 
> file
> > >and pretty much just changing the codebase.
> > >
> > >Other environment info: running behind Apache2 (latest), on port 8082
> > >(http) and 8009 (AJP13) because Oracle Servlet Engine shows up on port
> > >8080 (side note: anyone have info on how to get the flying pig to go
> > >away when you've uninstalled the Oracle HTTP server???); JDK 1.4.*, 
> and
> > >this is Tomcat 4 (latest).
> > >
> > >The exact same set up works fine on Windows 2003 and Windows 2000 
> Prof.
> > >And this machine works fine as a client to the server running on any
> > >other machine, so it's not a cookie issue I don't think.
> > >
> > >Am I missing something obvious?  Could it be permission-related?
> > >Something in the way the session data is stored on disk?  Sure would
> > >appreciate any advice.
> > >
> > >Andrew Longley
> > >Senior Software Developer
> > >MindFlow Technologies, Inc.
> > >
>To unsubscribe, e-mail:
>For additional commands, e-mail:

At 09:54 AM 11/6/2003, you wrote:

>Thanks for the reply, don't want to hijack the thread.
>I tried accessing from behind the firewall/proxy and the app works okay, 
>so it looks like there is a problem with the request coming back through 
>the proxyserver w/o the correct cookie.  The tomcat access log shows 
>each request has a different jsessionid, but I don't know exactly when 
>that's being created and given to the browser client.  The applet's 
>service method immediately calls request.getSession(true), which would 
>create a new session if one didn't exist, but I'm not sure how that 
>would happen and still have the new sessionid be included in the access 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message