tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Multiple JSESSIONID cookies being presented.
Date Wed, 09 Sep 2015 18:48:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 9/4/15 4:40 PM, Jeffrey Janner wrote:
> I'm surprised that Tomcat would use the "wrong" session id for 
> URL-rewriting when presenting the login screen. Are you saying
> that, when showing the login page for /APP2, Tomcat will:
> 
> a. Place a session identifier in the URL with value X b. Return a
> Set-Cookie response header for JSESSIONID with value Y
> 
> Where X != Y?
>> So far, it looks like it is maintaining an X=Y philosophy. So
>> that's a non-starter.

Maybe we aren't communicating well: I'd expect to see X = Y *100% of
the time*. The session id for both the URL *and* the cookie should be
the same, otherwise mass confusion would ensue.

> But you do use Tomcat's session-tracking mechanisms, right?
> 
>> Yes, and the problem only rears its ugly head on a successful
>> login (app expires old cookie, creates a new one).

Usually, Tomcat won't explicitly expire an old JSESSIONID cookie...
just set another one with a new value. The browser should replace the
old value with the new one.

>> User never even sees a new page, just an app-generated "session 
>> expired" error. Trying to see things in access logs, but nothing 
>> there I can see.

Hmm.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8H7uAAoJEBzwKT+lPKRYf30QAJ6V2G22zeRhRS7pl3rkhk7w
4/de4gpP+HfS/TYdOrLWr/qn26VPM38xjqPTuOvLTTGNfqgTdKhhrpQwEtHA9iSj
9K3oFmoEN7vXxshKjp2Q5bmjKemez1NVX43bwolq8+fTjVSlGZwTZcSA8+n2rJ05
vV5mBT+O4iqdYT1L1zdUj8XGWBS7hDmL9XCJM+08c4Rxajin37J4Xebi1HBAIM5a
WLijOUNAGHnkfDfpipxBgRcPly/wj//D0TdAZRMLqjVBh3DN6Lxhi59IOIiQgOYc
vu7l+GsimC1QI9/qM88JYlOXzJqpncjdYddyiJXdjvs1b7Rqk2QFGNyzE+njtPYK
icatILkejaN4Ic73mZZtHck50uY7vUagoZCAgsi48vMxsNXraFqrsN6NlKVVI3RN
L11+z7+qftoirWKGgTFmADikm/sknYiaezaVRIYLJohADONeQQ0sd9NpR4LQOU1x
87kWL+6rNfhNrnsWlGpm9PiBY4ZhmfpTcgK5iIJG3/2teCpk6sjye0BuVxkgQUPd
cHiTrhZgEVfkroWLTt55pKvIJmpX6BMA0R43UOk6NwTUrc0oKVqnZvkTMxt95b0m
lhHTRGFloCK3vKpz6ebeKowLz0Pc9rRBn6sQAANZgPd67m8XGjUDZ5lNBuz7XH/D
SfggjrqFB4x52K+EDETR
=LgVZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message