tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: 6.0.24 SSL Session always New
Date Sat, 20 Feb 2010 11:34:34 GMT
iainmac wrote:
> 3. This page is made up of a parent frame and 2 sub-frames.
> 4. The parent frame (the named page that the redirect is to) does that check
> above i.e. tries to get the Username from the session object-  This works
> successfully.  This page begins to load.
> 5. The first sub-frame begins to lad, tries the same check - in MSIE (and in
> Tomcat 5.0.28 other browers too) we are given the same validated session, so
> all works fine.  In other browsers with 6.0.24 a new session is given, and
> so I am again redirected to the logon page! In a loop!  Same this happens
> with second sub frame.
> As a work around I have simply rewritten my pages not to use frames, all
> works fine.  

I believe that what you indicate above is the core of the issue.
It has nothing to do with Tomcat, it has to do with the logic of what 
you are doing, and the way different browsers handle separate windows 
(or frames, which are separate windows).

I'll try to give an example :
Suppose that the first document you request from the server is a frame 
document, with 2 frames.
The frame document itself is not submitted to authentication by the 
server.  So it loads in the browser without problems.  While loading 
this frame document, the browser notices that it is a frame document, 
and that there are 2 links in it to load the individual frames. So the 
browser creates 2 new windows (the frames) and issues 2 new requests 
(one per frame), to fill these windows.
Any or all of these individual frame URLs is set up on the server as 
requiring authentication.
So now look at it from the server side.
It receives 2 separate (and almost simultaneous) requests for different 
URLs, each one submitted to authentication.  The server has no idea that 
these requests come from the same browser, and each one is handled 
separately, as if they came from 2 different workstations even.
(So basically, each request may be handled by a different thread or 
child of the webserver).
At this point, none of these requests contains any authentication 
headers, because the browser has not done any authentication yet.
So basically, the server is going to answer each one of them, 
individually, by sending the login page.
And so on.

The above may not be exactly what happens in your case.
But I hope it is sufficient to give you an idea of what to look for.
The symptoms are going to vary depending on how each browser exactly 
issues the different requests to the webserver (in the same connection 
or not e.g.), how it handles windows, frames, tabs, iframes etc.., the 
load on your server, how users get to this first page and so on.

In other words, practical recommendation : do not have the first page of 
your website be a frame document requiring authentication.  This would 
create problems with any webserver, not just with Tomcat.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message