Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 20898 invoked from network); 22 May 2007 19:40:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 May 2007 19:40:14 -0000 Received: (qmail 77942 invoked by uid 500); 22 May 2007 19:40:06 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 77721 invoked by uid 500); 22 May 2007 19:40:05 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 77706 invoked by uid 99); 22 May 2007 19:40:05 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 May 2007 12:40:05 -0700 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=SPF_PASS,SUBJECT_NOVOWEL X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of awilli08@harris.com designates 137.237.90.88 as permitted sender) Received: from [137.237.90.88] (HELO mlbe2k1.cs.myharris.net) (137.237.90.88) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 May 2007 12:39:56 -0700 Received: from mail pickup service by mlbe2k1.cs.myharris.net with Microsoft SMTPSVC; Tue, 22 May 2007 15:39:24 -0400 Received: from mlbe2k4.cs.myharris.net ([192.107.153.232]) by mlbe2k1.cs.myharris.net with Microsoft SMTPSVC(6.0.3790.1830); Tue, 22 May 2007 15:39:23 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Subject: RE: Session IDs & XMLHttpRequests Date: Tue, 22 May 2007 15:39:22 -0400 Message-ID: <6E19E11D3D7A5F4D937E5C2721FC310D05AACE3A@mlbe2k4.cs.myharris.net> In-Reply-To: <6E19E11D3D7A5F4D937E5C2721FC310D05AACE08@mlbe2k4.cs.myharris.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Session IDs & XMLHttpRequests Thread-Index: Acecehq8JnyupDuLQWKMkYvhcKqvfQAAw9MAAAq3UUA= References: <6E19E11D3D7A5F4D937E5C2721FC310D05AACAFE@mlbe2k4.cs.myharris.net> <26585.170.201.180.136.1179775749.squirrel@webmail.chiron.lunarpages.com> <6E19E11D3D7A5F4D937E5C2721FC310D05AACB5F@mlbe2k4.cs.myharris.net> <46520BDB.50800@pidster.com> <6E19E11D3D7A5F4D937E5C2721FC310D05AACC78@mlbe2k4.cs.myharris.net> <4652ED3E.8040304@cornell.edu> <6E19E11D3D7A5F4D937E5C2721FC310D05AACCC8@mlbe2k4.cs.myharris.net> <4652F84A.4060100@christopherschultz.net> <6E19E11D3D7A5F4D937E5C2721FC310D05AACE08@mlbe2k4.cs.myharris.net> From: "Williams, Allen" To: "Tomcat Users List" X-OriginalArrivalTime: 22 May 2007 19:39:23.0450 (UTC) FILETIME=[E63C51A0:01C79CA8] X-Virus-Checked: Checked by ClamAV on apache.org OK, I have FOUND the problem, and for the continued edification of the community will share my results, as well as ask one more question that hopefully some of you gurus can answer. Yes, it had to do with the path. When I went back and associated this servlet with a valid path "used" path but still without the "CheckUser" involved, updating through my mod_jk.conf, my web.xml for the mappings, and, of course, the script itself, it picked up the right session id and the world is good. Now, for the question: how is this ancillary information stored? When I look at the cookie in Firebug or print it out in the servlet, all I see is "JSESSIONID=3Dblah, blah, blah", but when I look at it in Web Developer, I see the path associated with it, the expiration date, and other info. Where is that stored, and can it be accessed (like the path, for instance) in a servlet or script? THANKS FOR ALL THE HELP!!! Thanks, and Regards, ________________________ =20 > Yeah, I'm already sending some stuff over by URL anyway, but=20 > there seems > to be some concern floating around the net regarding session hijacking > if the session ID is readily available. However, although I wouldn't > pretend to be an expert. >=20 > Anyway, I took Christopher's advice, and deleted all the cookies, even > restarted my browser (it's been running for several days),=20 > and did some > testing. I now have two (2!) JSESSIONID's in my browser, as well as > userid and password cookies, but on the server side, it says=20 > no cookies > were sent. >=20 > And, I finally found the "Headers" section under "Net" in Firebug. As > near as I can decipher this, all my requests are sending a JSESSIONID > cookie *except* the one for the XMLHttpRequest. The first=20 > time running > after deleting all the cookies, that request doesn't have any cookies. > Because a session gets created, from that point forward it has the > session it created with it sent back in the request header, but, of > course, that session doesn't have any of the attributes stored in it. > Looking at these cookies with the WebDeveloper tools in Firefox, the > difference is that the new one created during the XMLHttpRequest is > associated with a "/" path, the other one (the "real" one) with > "/myAppName" path. >=20 > Is is possible the difference in these path associations has something > to do with not finding the session? I do use a different URL mapping > for this servlet because of a "CheckUser" problem I had way back that > started this whole chain. >=20 > Next step is to download Frank's=20 > http://www.omnytex.com/test.zip and get > that to work (also, I see what you mean by Headers under Firebug > Console, now, too- it is also repeated under Firebug Net). >=20 > > -----Original Message----- > > From: Christopher Schultz [mailto:chris@christopherschultz.net]=20 > > Sent: Tuesday, May 22, 2007 10:04 AM > > To: Tomcat Users List > > Subject: Re: Session IDs & XMLHttpRequests > >=20 > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > >=20 > > Allen, > >=20 > > Williams, Allen wrote: > > > Will it work with POST as well as GET? Although I guess=20 > > I'll soon find > > > out;-) > >=20 > > It should work equally well with GET and POST. The browser=20 > should send > > cookies with every type of request (not just GET and POST). > >=20 > > I strongly encourage you to make arrangements for non-cookie-using > > people. When you emit the HTML (and javascript) to make your > > XMLHttpRequest, try making the URL dynamic and running it through > > HttpServletResponse.encodeURL to add the jsessionid to the=20 > > URL if necessary. > >=20 > > This will make your application a little more friendly to those who > > either don't have cookies available (usually an IT policy=20 > in an office > > or something) or who choose to turn them off. I find this to be > > courteous to your users. > >=20 > > Just my .02. > >=20 > > - -chris > >=20 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.7 (MingW32) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >=20 > > iD8DBQFGUvhK9CaO5/Lv0PARAtq0AKCfANKRxmb3ljBRiDLsb6gghTZHBgCcCdxW > > tUbl8cpKi44F53BrbHBmRjA=3D > > =3Dzz// > > -----END PGP SIGNATURE----- > >=20 > >=20 > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > >=20 > >=20 >=20 > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org >=20 >=20 --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org