tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Session Persistence Problems
Date Thu, 11 Apr 2019 21:22:01 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jerry,

On 4/11/19 15:29, Jerry Malcolm wrote:
> Alternatively, if I had a better understanding of how sessions are 
> managed by both TC and the browser, it might help me figure out
> what is going wrong.  I know a session key is generated by TC and
> sent back in a response.  And I'm assuming that the browser must
> return that session key on subsequent calls.  But if there are
> several webapps on domain, how does the browser differentiate which
> session key to send back on a subsequent response?  Is it just
> understood that the first 'folder' level under the domain (i.e.
> context name) is always a different session key?
> (myDomain.com/order vs. myDomain/account)?   Or does the browser 
> send all session keys back per domain and let TC figure out which
> one, if any, to use?   Again, just looking for a little education
> here....

Do you know if HTTP cookies or URL-parameters are being used for
session-management? If you aren't sure, try logging-in to your
application and look at the URLs and cookies.

Typically, a web application will use cookies with the name
JSESSIONID. If the session identifier is tracked in the URL, then
you'll see ";jsessionid=[id]" in your URLs after the path but before
the query string.

It's very easy to "lose" a URL-tracked session id because every single
URL generated by your application must include that parameter. A sinle
miss can cause the session to be lost by the client. If you are using
SSO (always with a cookie), it can mask the dropping of the session in
this way.

It's harder to "lose" a session cookie since the browser typically
manages that. Cookies are tracked per web-application using each
application's path. The browser should only return a single cookie for
a given path. If you have applications that share a URL space (e.g.
/master and /master/sub and /master/sub2) then things can get very
confusing for the browser and the server. It's best not to overlap
URL-spaces in this way.

Are you using clustering or anything else like that which might also
cause session-ids to change?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyvr/kACgkQHPApP6U8
pFg4KBAAi0qYZDxX0TGApjLOhwTqtP3u22tT9+JXEjcwylIfx+WaURgNTTgEUQQJ
rJMkwBBugCU1cgusveBsAJUtuDhe9QMkmx0BKI4JF12hzy+nk8BN/yC0crcvfgfz
NIfHWOHV2eczu5ZMDaYeyYOiUM27b+k4Xl0YR0xRtYeJ7/HdnxaklfPojXzFNUhJ
vRa6GSjtgCI6JcW+eHPy5T2OmLtdYatHcY+S9qtOJvNsf3mf1WFDHCV6iHR+9NTP
2artOzKAOWe/HLoKo9h8tjSuzgMrodE2dnzdu/DUs1JJjDLl5INXp7WXR6z5BshB
oK/op5+e7dV/7BONc9HHEh/99kivgEu86DQ3H6OfQF2+oNVy5kuyzY12/OMvJusg
oppLZYV6XCVAUduwkP5W1SjBJWjDuUkQwtSRQ6O2Vren1wI3GIZtSvfZHygEM2Ht
X67QyMLJQEh9yZedtdUF9gGJzkREnibxScBtFJc4HpuBezs1HQ4eOk2WTnTpmiAL
w38IEM6b/9snSzHcqxXSkkx3vZjf3EuEfZKJwymzC5iHADo6KZsW+aYB4dzrFoJa
E5xtJRKZT5i5CHLr7l5bmV4QifZrQa50UA47fe+KvfQiQJW5xZG2lTFl2as6bNGW
4EgcPk6yHDVaGF4xqBN84kp1fqJ++G0c32b/Ogm0Hwfm/ShOvCc=
=9pTl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message