tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Session Invalidate not working on HTTPS ( Tomcat 6.0.29 )
Date Tue, 30 Nov 2010 14:51:43 GMT
2010/11/30 Andrea Corti <ilgrandemazinger@gmail.com>:
> Yes, I have emptySessionPath=true  in connectors; is this the issue?
>

In your logs, you have "sessionCreated" message, i.e. a session was
created and thus the listener was notified, but the ID was reused.

You can put a breakpoint in your listener to see where that comes from.

-> "manager.createSession(getRequestedSessionId());" call in
o.a.c.connector.Request.doGetSession(..)


> Thanks for the link, now i'm trying to debug in order to find some more
> details for you experts.
>
> Thanks.
>
> 2010/11/30 Konstantin Kolinko <knst.kolinko@gmail.com>
>
>> >> > Follows an extract form a test servlet:
>> >> >         HttpSession s = req.getSession();
>> >> >         if (s==null) {
>> >> >             System.out.println(mt+":Session is null");
>> >> >         } else {
>> >> >             System.out.println(mt+":Session id="+s.getId()+"\t
>> >> > New="+s.isNew());
>> >> >         }
>> >> >         System.out.println("pre- invalidate");
>> >> >         s.invalidate();
>> >> >         System.out.println("post- invalidate: id="+s.getId());
>> >> >         s = req.getSession(true);
>> >> >         System.out.println("post- get new: id="+s.getId());
>> >>
>> >> Okay, what does the above servlet print when you access it via HTTP, and
>> >> then access it via HTTPS?
>> >>
>> >
>> > HTTP Output:
>> > POST:Session id=F5FAF6115F7BA37ECDA22299C9B3B4BC     New=true
>> > pre- invalidate
>> > sessionDestroyed [F5FAF6115F7BA37ECDA22299C9B3B4BC] <-- this log is
>> printed
>> > by a HttpSessionListener
>> > post- invalidate: id=F5FAF6115F7BA37ECDA22299C9B3B4BC
>> > sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed
>> by
>> > a HttpSessionListener
>> > post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> >
>> > We can notice that the session id after the GetSession(true) is different
>> > from the previous one.
>> >
>> > HTTPS Output:
>> > POST:Session id=36BA1CCC7AEC8A9808027D57B6A5A52A     New=false
>> > pre- invalidate
>> > sessionDestroyed [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed
>> > by a HttpSessionListener
>> > post- invalidate: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> > sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed
>> by
>> > a HttpSessionListener
>> > post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> >
>> > In this case the session id is always the same!
>> >
>>
>> Do you, by a chance, have emptySessionPath=true on your Connector?
>>
>> > I saw that between release 28
>> > and 29 the following class has been changed but i'm not able to debug it.
>> > java\org\apache\catalina\connector\Response.java (method
>> > addSessionCookieInternal)
>>
>> http://wiki.apache.org/tomcat/FAQ/Developing
>>
>> Best regards,
>> Konstantin Kolinko
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message