tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Williams, Allen" <>
Subject RE: Session IDs & XMLHttpRequests
Date Tue, 22 May 2007 18:50:38 GMT
Yeah, I'm already sending some stuff over by URL anyway, but there seems
to be some concern floating around the net regarding session hijacking
if the session ID is readily available.  However, although I wouldn't
pretend to be an expert.

Anyway, I took Christopher's advice, and deleted all the cookies, even
restarted my browser (it's been running for several days), and did some
testing.  I now have two (2!) JSESSIONID's in my browser, as well as
userid and password cookies, but on the server side, it says no cookies
were sent.

And, I finally found the "Headers" section under "Net" in Firebug.  As
near as I can decipher this, all my requests are sending a JSESSIONID
cookie *except* the one for the XMLHttpRequest.  The first time running
after deleting all the cookies, that request doesn't have any cookies.
Because a session gets created, from that point forward it has the
session it created with it sent back in the request header, but, of
course, that session doesn't have any of the attributes stored in it.
Looking at these cookies with the WebDeveloper tools in Firefox, the
difference is that the new one created during the XMLHttpRequest is
associated with a "/" path, the other one (the "real" one) with
"/myAppName" path.

Is is possible the difference in these path associations has something
to do with not finding the session?  I do use a different URL mapping
for this servlet because of a "CheckUser" problem I had way back that
started this whole chain.

Next step is to download Frank's and get
that to work (also, I see what you mean by Headers under Firebug
Console, now, too- it is also repeated under Firebug Net).

> -----Original Message-----
> From: Christopher Schultz [] 
> Sent: Tuesday, May 22, 2007 10:04 AM
> To: Tomcat Users List
> Subject: Re: Session IDs & XMLHttpRequests
> Hash: SHA1
> Allen,
> Williams, Allen wrote:
> > Will it work with POST as well as GET?  Although I guess 
> I'll soon find
> > out;-)
> It should work equally well with GET and POST. The browser should send
> cookies with every type of request (not just GET and POST).
> I strongly encourage you to make arrangements for non-cookie-using
> people. When you emit the HTML (and javascript) to make your
> XMLHttpRequest, try making the URL dynamic and running it through
> HttpServletResponse.encodeURL to add the jsessionid to the 
> URL if necessary.
> This will make your application a little more friendly to those who
> either don't have cookies available (usually an IT policy in an office
> or something) or who choose to turn them off. I find this to be
> courteous to your users.
> Just my .02.
> - -chris
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iD8DBQFGUvhK9CaO5/Lv0PARAtq0AKCfANKRxmb3ljBRiDLsb6gghTZHBgCcCdxW
> tUbl8cpKi44F53BrbHBmRjA=
> =zz//
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message