tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Williams, Allen" <awill...@harris.com>
Subject RE: Session IDs & XMLHttpRequests
Date Tue, 22 May 2007 19:39:22 GMT
OK, I have FOUND the problem, and for the continued edification of the
community will share my results, as well as ask one more question that
hopefully some of you gurus can answer.

Yes, it had to do with the path.  When I went back and associated this
servlet with a valid path "used" path but still without the "CheckUser"
involved, updating through my mod_jk.conf, my web.xml for the mappings,
and, of course, the script itself, it picked up the right session id and
the world is good.

Now, for the question: how is this ancillary information stored?  When I
look at the cookie in Firebug or print it out in the servlet, all I see
is "JSESSIONID=blah, blah, blah", but when I look at it in Web
Developer, I see the path associated with it, the expiration date, and
other info.  Where is that stored, and can it be accessed (like the
path, for instance) in a servlet or script?

THANKS FOR ALL THE HELP!!!

Thanks, and Regards,
________________________
 
> Yeah, I'm already sending some stuff over by URL anyway, but 
> there seems
> to be some concern floating around the net regarding session hijacking
> if the session ID is readily available.  However, although I wouldn't
> pretend to be an expert.
> 
> Anyway, I took Christopher's advice, and deleted all the cookies, even
> restarted my browser (it's been running for several days), 
> and did some
> testing.  I now have two (2!) JSESSIONID's in my browser, as well as
> userid and password cookies, but on the server side, it says 
> no cookies
> were sent.
> 
> And, I finally found the "Headers" section under "Net" in Firebug.  As
> near as I can decipher this, all my requests are sending a JSESSIONID
> cookie *except* the one for the XMLHttpRequest.  The first 
> time running
> after deleting all the cookies, that request doesn't have any cookies.
> Because a session gets created, from that point forward it has the
> session it created with it sent back in the request header, but, of
> course, that session doesn't have any of the attributes stored in it.
> Looking at these cookies with the WebDeveloper tools in Firefox, the
> difference is that the new one created during the XMLHttpRequest is
> associated with a "/" path, the other one (the "real" one) with
> "/myAppName" path.
> 
> Is is possible the difference in these path associations has something
> to do with not finding the session?  I do use a different URL mapping
> for this servlet because of a "CheckUser" problem I had way back that
> started this whole chain.
> 
> Next step is to download Frank's 
> http://www.omnytex.com/test.zip and get
> that to work (also, I see what you mean by Headers under Firebug
> Console, now, too- it is also repeated under Firebug Net).
> 
> > -----Original Message-----
> > From: Christopher Schultz [mailto:chris@christopherschultz.net] 
> > Sent: Tuesday, May 22, 2007 10:04 AM
> > To: Tomcat Users List
> > Subject: Re: Session IDs & XMLHttpRequests
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Allen,
> > 
> > Williams, Allen wrote:
> > > Will it work with POST as well as GET?  Although I guess 
> > I'll soon find
> > > out;-)
> > 
> > It should work equally well with GET and POST. The browser 
> should send
> > cookies with every type of request (not just GET and POST).
> > 
> > I strongly encourage you to make arrangements for non-cookie-using
> > people. When you emit the HTML (and javascript) to make your
> > XMLHttpRequest, try making the URL dynamic and running it through
> > HttpServletResponse.encodeURL to add the jsessionid to the 
> > URL if necessary.
> > 
> > This will make your application a little more friendly to those who
> > either don't have cookies available (usually an IT policy 
> in an office
> > or something) or who choose to turn them off. I find this to be
> > courteous to your users.
> > 
> > Just my .02.
> > 
> > - -chris
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.7 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > 
> > iD8DBQFGUvhK9CaO5/Lv0PARAtq0AKCfANKRxmb3ljBRiDLsb6gghTZHBgCcCdxW
> > tUbl8cpKi44F53BrbHBmRjA=
> > =zz//
> > -----END PGP SIGNATURE-----
> > 
> > 
> ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message