tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: getting desperate here :)
Date Thu, 02 Dec 2004 15:13:48 GMT

Hi,
Messing with the JSESSIONID cookie by rewriting it is cruising for a
bruising.  If it's not browser differences (which seems to be your
case), then it would be an unhappy firewall, proxy, or NAT that gets
you.  That's why no one wants to dive into this Pandora's box I guess ;)

Yoav Shapira http://www.yoavshapira.com
 

>-----Original Message-----
>From: Alex Korneyev [mailto:akorneyev@mindspring.com]
>Sent: Thursday, December 02, 2004 10:06 AM
>Cc: 'Tomcat Users List '
>Subject: getting desperate here :)
>
>Hello all,
>
>      i have sent this one before, but i am hoping someone else has
>      had this particular problem.
>      __
>
>
> i am hoping someone has seen the following behavior.
>
>
> TomcatA sends a redirect to TomcatB
>
> on the backend, I can see that TomcatB receives a JSESSIONID that was
> originally assigned to it by TomcatA;
>
> i.e. cookie = JSESSIONID=6EF95FA9AA98E608C555E28875F57054;
>
>
> I rewrite reset the jsession id ( see the code bellow ), but
>
>
> on the next request i see this:
>
> cookie = JSESSIONID=6EF95FA9AA98E608C555E28875F57054;
>JSESSIONID=2251830F6F64DEFC974C19C79F1EABAB
>
> for some reason using Mozilla works, but I.E. is the one that passes
> 2 JSESSIONID variables. Thoughts?
>
>        if (cookies != null && cookies.length > 0)
>                {
>                        int len = cookies.length;
>                        for (int i = 0; i < len; i++)
>                        {
>                                if
>(cookies[i].getName().equalsIgnoreCase("jsessionid"))
>                                {
>                                        cookies[i].setMaxAge(-1);
>                                        cookies[i].setPath("/");
>                                        _LOGGER.debug("COOKIE VALUE " +
>cookies[i].getValue() );
>                                        _LOGGER.debug("session id:  " +
>request.getSession().getId() );
>                                        _LOGGER.debug(" comp" + (
>request.getSession().getId().equals(cookies[i].getValue())));
>                                        if (
>request.getSession().getId().equals(cookies[i].getValue()))
>                                        {
>                                                _LOGGER.debug("equal");
>
>response.addCookie(cookies[i]);
>                                        }
>                                        else
>                                        {
>                                                _LOGGER.debug("not
equal");
>                                                Cookie sessionCookie =
new
>Cookie("JSESSIONID",
>request.getSession().getId());
>
>response.addCookie(sessionCookie);
>                                        }
>                                        foundCookie = true;
>                                        _LOGGER.debug("updated session
>cookie");
>
>                                }
>                        }
>                }
>
>
>
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message