tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Tomcat - Automatically writes a session?
Date Wed, 21 Jan 2004 01:14:13 GMT
I'm old school. I still use telnet. For example, from any unix (or cygwin) 
prompt:

funkman@fever: telnet www.travelusa.com 80
Trying 64.58.141.168...
Connected to travelusa.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.travelusa.com
Connection: close

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=08C6F968CE52476E25202D9B3B41B4C3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 21 Jan 2004 02:27:55 GMT
Server: Apache Coyote/1.0
Connection: close

Yup - I see a cookie being set. Are there are filters on the webapp? Look for 
  <filter> in web.xml.

Is you index page performing a request dispatcher forward?
Are you sure the page is being after being edited to session=false is being 
recompiled. I sometimes use HTML comments to verify the page was recompiled.


-Tim

neal cabage wrote:

> Which tool are you guys using to view your http response header?  I'm using the following:
>  
> http://www.searchengineworld.com/cgi-bin/servercheck.cgi
>  
> Do you see the cookie being set using this tool?
>  
> What sort of filters should I be looking for that could be setting a cookie?  btw - my
config is just straight Tomcat 4.1, no Apache. If you want to see an example of what I'm seeing,
please go to http://www.travelusa.com/.  
>  
> If you can recommend any filters or anything else like that I should be looking at, please
let me know.  
>  
> Thanks for your help.
>  
> Neal
> 
> 
> Jeff Tulley <JTULLEY@novell.com> wrote:
> Yeah, I see the same thing. No jsessionId in the header. with session="false" %>
> 
>>>>funkman@joedog.org 1/20/04 3:31:31 PM >>>
> 
> Its on by default because the spec says so.
> 
> Are you sure you don't have a filter or anything else creating a
> session?
> 
> I created a page called cowbell with this content with tomcat 4.1:
> --------------------------------------------------
> 
> foo
> --------------------------------------------------
> 
> Then simulated a web browser:
> --------------------------------------------------
> funkman@fever: telnet localhost 8080
> Trying 127.0.0.1...
> Connected to fever.joedog.org.
> Escape character is '^]'.
> GET /cowbell.jsp HTTP/1.1
> Host: fever.joedog.org:8080
> Connection: close
> 
> HTTP/1.1 200 OK
> Content-Type: text/html;charset=ISO-8859-1
> Content-Length: 5
> Date: Tue, 20 Jan 2004 22:28:20 GMT
> Server: Apache-Coyote/1.1
> Connection: close
> 
> 
> foo
> Connection closed by foreign host.
> --------------------------------------------------
> 
> -Tim
> 
> neal cabage wrote:
> 
> 
>>Unfortunately this isn't working either. In addition to the session="false"%>directive
in my JSP, I have also set the
> 
> cookies="false" attribute in my server.xml file, for the host in
> question. It is *still* happening! 
> 
>>Perhaps this is a Tomcat bug, as previously suggested? Correct me if
> 
> I'm wrong, but doesn't this imply a *HUGE* waist of RAM resources to be
> writing a cookie like this by default? Why on earth would a web app do
> this by default? Are there any other ways to shut it off? It was
> mentioned in the previous thread to look at the servlet being compiled,
> which may be a good idea - but I don't know what the solution will be if
> it is in fact compiling the servlet incorrectly. Any other config opps
> to choke it off?
> 
>>Neal
>>
>>
>>Torsten Fohrer wrote:
>>
>>tomcat sents automatically a cookie named jsessionid for session
> 
> maintain to a 
> 
>>browser. with cookies="false" as a context attrribute you disable
> 
> this 
> 
>>behaviour
>>
>>
>>
>>from tomcat documentation:
>>
>>------
>>cookies 
>>
>>Set to true if you want cookies to be used for session identifier 
>>communication if supported by the client (this is the default). Set
> 
> to false 
> 
>>if you want to disable the use of cookies for session identifier 
>>communication, and rely only on URL rewriting by the application.
>>----
>>
>>or
>>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html 
>>
>>cu Torsten Fohrer
>>
>>
>>On Tuesday 20 January 2004 20:58, you wrote:
>>
>>
>>>Verify in your JSP's .java file that sessions are really being
> 
> turned
> 
>>>off. Look to see if there is a
>>>session=pageContext.getSession()
>>>
>>>Also, I think the call to
>>>pageContext = _jspxFactory.getPageContext(.....
>>>
>>>Needs to have "false" as the 3rd to last argument.
>>>
>>>
>>>
>>>>>>fiol.bonnin@terra.es 1/20/04 12:39:54 PM >>>
>>>
>>>Neal wrote:
>>>
>>>
>>>>I used the tag "" which does appear correct,
>>>>but I'm still seeing that header:
>>>>
>>>>"Set-Cookie: JSESSIONID=97C8777F16379B8EC2CD17273CE35C3C; Path=/"
>>>>
>>>>There are two reasons why I want to get rid of this:
>>>>
>>>>1. I assume I'm waiting server resources holding open a session for
>>>>every user, unnecessarily.
>>>>
>>>>2. I've been told this may prevent Google from properly spidering
> 
> the
> 
>>>>site.
>>>>
>>>>
>>>>Can you please shed any more light on how to fix this potential
>>>
>>>issue?
>>>
>>>
>>>
>>>Probably not, but I will try...
>>>
>>>Did you clear the cookies on your browser? If the browser is saying
>>>"Hi!
>>>XXX is my session ID", then, (iif that session exists), tomcat is
> 
> free
> 
>>>of saying "Hi! keep your session ID, which is XXX"
>>>
>>>Other than that, no idea. I have never struggled to avoid cookies.
>>>Sorry. I was only echoing something I have read in the past.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message