You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by kennardconsulting <ri...@kennardconsulting.com> on 2008/11/12 06:59:46 UTC
Does jsessionid on the URL also check the User-Agent?
Dear All,
When passing a jsessionid on the URL such as...
http://foo.com;jsessionid=123
...does Tomcat do something clever, like checking the User-Agent, before
agreeing to hook into the existing '123' session?
If I log in using, say, Firefox and note the jsessionid, then open a new
Firefox and paste in a URL like the one above it works as expected. But if I
open IE and paste the same URL it doesn't work?
Does the URL rewriting check the User Agent? Can I turn this off?
Regards,
Richard.
--
View this message in context: http://www.nabble.com/Does-jsessionid-on-the-URL-also-check-the-User-Agent--tp20454717p20454717.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Does jsessionid on the URL also check the User-Agent?
Posted by kennardconsulting <ri...@kennardconsulting.com>.
Chris,
Thanks for your prompt reply.
My apologies - I was getting confused. The browser had already assigned a
jsessionid through a cookie just by viewing the login page, so from them on
anything I passed on the URL was being ignored.
Thanks for your time,
Richard.
--
View this message in context: http://www.nabble.com/Does-jsessionid-on-the-URL-also-check-the-User-Agent--tp20454717p20469889.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Does jsessionid on the URL also check the User-Agent?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Richard,
kennardconsulting wrote:
> ...does Tomcat do something clever, like checking the User-Agent, before
> agreeing to hook into the existing '123' session?
No. Tomcat will append the jsessionid parameter if the client has not
yet proven that Cookies will be sent back to the server. Usually, this
happens on the response to the first request, but not after any cookie
has had a round-trip to the client back to the server.
> If I log in using, say, Firefox and note the jsessionid, then open a new
> Firefox and paste in a URL like the one above it works as expected. But if I
> open IE and paste the same URL it doesn't work?
What do you mean "doesn't work"? You don't get the same session (you
should)? Or, you get the same session, but further URLs don't contain
the jsessionid parameter? If the latter is the case, then IE is simply
sending a cookie to Tomcat and therefore Tomcat knows that the session
id can be managed with a cookie and URL rewriting doesn't have to be done.
> Does the URL rewriting check the User Agent? Can I turn this off?
\No user agent checking, so there's nothing to disable.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkkbMzsACgkQ9CaO5/Lv0PDrPgCfbRThbmXP8KrbcyNlZbBKGqSS
TE8AoKpnnFHXUrHh7NL5aKG25CMtq7+O
=e1BJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Does jsessionid on the URL also check the User-Agent?
Posted by kennardconsulting <ri...@kennardconsulting.com>.
Torsten,
Thank you for the quick reply. My apologies: I was getting confused.
I now realise sending jsessionid on the URL gets ignored if there is already
a jsessionid in the cookie, which there will be if you have even briefly
touched the site in any way (eg. to pull up the login page).
Thanks for you help.
Regards,
Richard.
--
View this message in context: http://www.nabble.com/Does-jsessionid-on-the-URL-also-check-the-User-Agent--tp20454717p20466801.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Does jsessionid on the URL also check the User-Agent?
Posted by To...@teliasonera.com.
Hi Richard,
How do you log in and to what? What do you mean with it doesn't work? That Tomcat creates a new session?
I tried what you did: Accessed some webapp in FF and pasted the URL including jsessionid in IE - got the same session.
I don't think Tomcat cares about anything else than the jsessionid in the URL or the session cookie.
Maybe it is the authentication mechanism that does something with the session?
Torsten
-----Original Message-----
From: kennardconsulting [mailto:richard@kennardconsulting.com]
Sent: 12. november 2008 07:00
To: users@tomcat.apache.org
Subject: Does jsessionid on the URL also check the User-Agent?
Dear All,
When passing a jsessionid on the URL such as...
http://foo.com;jsessionid=123
...does Tomcat do something clever, like checking the User-Agent, before
agreeing to hook into the existing '123' session?
If I log in using, say, Firefox and note the jsessionid, then open a new
Firefox and paste in a URL like the one above it works as expected. But if I
open IE and paste the same URL it doesn't work?
Does the URL rewriting check the User Agent? Can I turn this off?
Regards,
Richard.
--
View this message in context: http://www.nabble.com/Does-jsessionid-on-the-URL-also-check-the-User-Agent--tp20454717p20454717.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org