tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: HttpServletRequest.getSession()
Date Tue, 14 Sep 2010 20:54:31 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 9/14/2010 12:30 PM, Mark Thomas wrote:
> On 14/09/2010 15:16, Christopher Schultz wrote:
> 
> I'm in the middle of some major re-factoring so I don;t have time to
> actually test this...
> 
>> 0. [Browser has two JSESSIONID cookies: one secure=true and one
>> secure=false]
> 
> This I doubt. When testing load-balancing on a single machine, I have
> seen browsers send the same cookie to two Tomcat instances that only
> differ by port number. I suspect https and http will be treated the same
> way and one cookie will just overwrite the other. You should test that
> to be sure though.

Okay, I'll check. I believe that "version 0" cookies should overwrite
each other when the port numbers are different, but that "version 1"
cookies allow a port specification that should allow two cookies with
the same name and path, but different numbers, to exist side-by-side
with no interference.

I just checked, and RFC 2109 ("version 0" cookies) does seem to indicate
that the port number adds to the unique-ness of the hostname, therefore
my statement above appears to be incorrect. It's possible that web
browser were (at some point) lazy and I am remembering a bad cookie
implementation.

The Set-Cookie2 definitely has a "port" parameter that can be explicitly
added to the cookie's settings.

Regarding the "Secure" flag, this is all the RFC has to say about it:

"
   Secure  If absent, the user agent MAY send the cookie over an
           insecure channel.
"

That indicates to me that non-secure cookies should be sent as well as
secure cookies, but doesn't say if they overwrite each other. I didn't
read every word of the RFC, but from what I did read, this appears to be
a gray area where the browser would be left to either support separate
secure/non-secure cookies or clobber one with the other.

References
http://www.ietf.org/rfc/rfc2109.txt
and
http://www.ietf.org/rfc/rfc2965.txt

(This information was mostly for the edification of other readers, not a
lesson in HTTP RFCs for markt ;)

Here's what I observe in Tomcat 6.0.26 with Mozilla Firefox 3.6.9/win32:

[non-secure]
1. Attempt to access protected page, request includes JSESSIONID cookie
(old value, no valid session)
2. Server responds with 302 redirect to login page, Set-Cookie for
JSESSIONID, path=/mywebapp
3. Submit authentication information, including JSESSIONID from step 2
4. Server accepts credentials, issues 302 response, no Set-Cookie header
5. Client follows redirect, including JSESSIONID from step 2

[secure, immediately after steps 1-5 above]
6. Attempt to access protected page, request includes JSESSIONID from step 2
7. Access is granted, page is displayed
8. Request "logout", request includes JSESSIONID from step 2
9. Server terminates HttpSession, no Set-Cookie header in response
10. Attempt to access protected page, request includes JSESSIONID from
step 2
11. Session is invalid, server responds with 302 redirect to login page,
Set-Cookie header with new JSESSIONID cookie value AND SECURE FLAG SET
12. Client follows redirect, includes JSESSIONID from step 11
13. Submit authentication information, including JSESSIONID from step 11
14. Server accepts credentials, issues 302 response, no Set-Cookie header
15. Client follow redirect, including JSESSIONID from step 11

[non-secure, immediately after steps 6-15 above]
16. Attempt to access protected resource, request does not include
JSESSIONID cookie at all
17. Server responds with 302 redirect to login page, Set-Cookie for
JSESSIONID, path=/mywebapp
18. Submit authentication information, includes JSESSIONID FROM step 17
19. Server accepts credentials, issues 302 redirect
20. Client follows redirect, including JSESSIONID from step 17

[secure, immediately after steps 6-15 above]
21. Attempt to access protected resource, request includes JSESSIONID
cookie from step 17

So, it appears that the non-secure cookie trumps the secure cookie and
the client (Firefox, at least) will clobber secure with non-secure.

I encourage others to test other browsers. This was exhausting. :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyP4QcACgkQ9CaO5/Lv0PBS3wCeLHzEbJew0T2/I/VFTonga84m
5VQAoJx4RQhmPDmr74E79ocGvnJPVZ2N
=aOIa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message