You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by leung cc <dk...@hotmail.com> on 2006/08/08 11:41:17 UTC
can I NOT have the cookie please
This is actually a problem that arised after I went about solving my applet
+ commons-httpclient -> https + client cert problem taking advice from Oleg
and others here. Well, I customized Oleg's AuthSSLProtocolSocketFactory and
succeeded in making a connection to the servlet in my applet. But it
appearedthat httpclient was sending a cookie of unknown origin to the
servlet and that caused the servlet to not recognize the session which the
applet was supposed to be part of. So I changed to method to Get (was using
Post) and tried to advise the servlet of the correction session by adding
"JSESSIONID=..." to the URL. I thought setting the cookie policy would have
stopped httpclient from sending any cookies but I was wrong and so I added
the setRequestHeader() call too (right, was shooting in the dark) but that
didn't seem to improve it.
GetMethod rqst = new GetMethod( "ccs" + Constants.APP_HOME_URL_PFX +
"/GiveLotOrCPCInfoAlt.jsp?JSESSIONID=" + this.httpSessId +
"&qkt=" + qryKeyType +
"&qk=" + URLEncoder.encode( psLotNum ) +
"&ak=" + URLEncoder.encode( acsKey ) );
rqst.getParams().setCookiePolicy( CookiePolicy.IGNORE_COOKIES );
rqst.setRequestHeader( "Set-Cookie",
"JSESSIONID=" + this.httpSessId +
"; Path=/whatever; Secure" ); // HC
Now, my questions are:
1. My servlet side is arranged with apache in the forefront and tomcat at
the back, so maybe tomcat isn't seeing the jsessionid info and I should
tell Apache rather than tomcat what the session I want? If this isn't
clear, let me say this: in my case apache is our webserver which is
listening for both http and https requests and tomcat only runs the jsp
programs - although tomcat can serve as a webserver, we are NOT using that
functionality of its.
Now, how does one tell apache the session id on the URL (not cookie)?
2. What's the "Set-Cookie" header? How is it different from the "Cookie"
header?
3. Httpclient is sending a cookie that contained the desired session id to
the server, where did it get the idea of the session id from? The webpage
where my applet is contained has a different session id, which I tried
totell the servlet with the "jsessionid=..." parameter to the URL.
And I wonder if any authors/contributors of httpclient can be bothered to
look into the possibility of smoothly deploying httpclient in an applet -
you know, where the user (ok, us programmers) don't have to worry about
session, certs and things like that. I can't see Oleg being interested
because he told me he'd avoid applets, too bad. :(
Below is the rather long winded log I copied off my java console (edited a
littleto protect my employer's interest), enjoy (er, sorry)...
2006/08/08 17:04:13:770 CST [DEBUG] HttpClient - Java version: 1.5.0_04
2006/08/08 17:04:13:770 CST [DEBUG] HttpClient - Java vendor: Sun
Microsystems Inc.
2006/08/08 17:04:13:930 CST [DEBUG] DefaultHttpParams - Set parameter
http.useragent = Jakarta Commons-HttpClient/3.0.1
2006/08/08 17:04:13:990 CST [DEBUG] DefaultHttpParams - Set parameter
http.protocol.version = HTTP/1.1
2006/08/08 17:04:14:100 CST [DEBUG] DefaultHttpParams - Set parameter
http.connection-manager.class = class
org.apache.commons.httpclient.SimpleHttpConnectionManager
2006/08/08 17:04:14:100 CST [DEBUG] DefaultHttpParams - Set parameter
http.protocol.cookie-policy = rfc2109
2006/08/08 17:04:14:100 CST [DEBUG] DefaultHttpParams - Set parameter
http.protocol.element-charset = US-ASCII
2006/08/08 17:04:14:100 CST [DEBUG] DefaultHttpParams - Set parameter
http.protocol.content-charset = ISO-8859-1
2006/08/08 17:04:14:150 CST [DEBUG] DefaultHttpParams - Set parameter
http.method.retry-handler =
org.apache.commons.httpclient.DefaultHttpMethodRetryHandler@1f9e31e
2006/08/08 17:04:14:150 CST [DEBUG] DefaultHttpParams - Set parameter
http.dateparser.patterns = [EEE, dd MMM yyyy HH:mm:ss zzz, EEEE, dd-MMM-yy
HH:mm:ss zzz, EEE MMM d HH:mm:ss yyyy, EEE, dd-MMM-yyyy HH:mm:ss z, EEE,
dd-MMM-yyyy HH-mm-ss z, EEE, dd MMM yy HH:mm:ss z, EEE dd-MMM-yyyy HH:mm:ss
z, EEE dd MMM yyyy HH:mm:ss z, EEE dd-MMM-yyyy HH-mm-ss z, EEE dd-MMM-yy
HH:mm:ss z, EEE dd MMM yy HH:mm:ss z, EEE,dd-MMM-yy HH:mm:ss z,
EEE,dd-MMM-yyyy HH:mm:ss z, EEE, dd-MM-yyyy HH:mm:ss z]
2006/08/08 17:04:14:260 CST [DEBUG] DefaultHttpParams - Set parameter
http.socket.timeout = 60000
2006/08/08 17:04:14:260 CST [DEBUG] DefaultHttpParams - Set parameter
http.connection.timeout = 30000
2006/08/08 17:04:14:760 CST [TRACE] GetMethod - enter GetMethod(String)
2006/08/08 17:04:14:760 CST [DEBUG] DefaultHttpParams - Set parameter
http.protocol.cookie-policy = ignoreCookies
2006/08/08 17:04:14:760 CST [TRACE] HttpClient - enter
HttpClient.executeMethod(HttpMethod)
2006/08/08 17:04:14:760 CST [TRACE] HttpClient - enter
HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState)
2006/08/08 17:04:15:360 CST [TRACE] HttpMethodDirector - Attempt number 1
to process request
2006/08/08 17:04:15:360 CST [TRACE] HttpConnection - enter
HttpConnection.open()
2006/08/08 17:04:15:360 CST [DEBUG] HttpConnection - Open connection to
www.blahblah.com.hk:443
2006/08/08 17:04:15:360 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Initializing key store
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Keystore init done
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Certificate chain '1':
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Certificate 1:
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Subject DN: <details removed for security>
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Signature Algorithm: MD5withRSA
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Valid from: Tue Oct 21 13:08:33 CST 2003
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Valid until: Wed Oct 19 13:08:33 CST 2011
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Issuer: <details removed to protect the innocent>
2006/08/08 17:04:15:420 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Initializing key manager
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Initializing key store
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Keystore init done
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Trusted certificate 'mykey':
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Subject DN: <details removed for security>
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Signature Algorithm: MD5withRSA
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Valid from: Mon Sep 16 09:23:26 CST 2002
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Valid until: Thu Sep 13 09:23:26 CST 2012
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Issuer: <details removed>
2006/08/08 17:04:15:470 CST [DEBUG] CCSAuthSSLProtocolSocketFactory -
Initializing trust manager
2006/08/08 17:04:15:740 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.execute(HttpState, HttpConnection)
2006/08/08 17:04:15:740 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.writeRequest(HttpState, HttpConnection)
2006/08/08 17:04:15:740 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.writeRequestLine(HttpState, HttpConnection)
2006/08/08 17:04:15:740 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.generateRequestLine(HttpConnection, String, String, String,
String)
2006/08/08 17:04:15:960 CST [DEBUG] header - >> "GET
/whatever/GiveLotOrCPCInfoAlt.jsp?JSESSIONID=39570AD89DD8BB6E781F68675787218E&qkt=lot
&qk=339570&ak=a53d6754dc96b3f0f9cfc795e9778169 HTTP/1.1[\r][\n]"
2006/08/08 17:04:15:960 CST [TRACE] HttpConnection - enter
HttpConnection.print(String)
2006/08/08 17:04:15:960 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[])
2006/08/08 17:04:15:960 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[], int, int)
2006/08/08 17:04:15:960 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.writeRequestHeaders(HttpState,HttpConnection)
2006/08/08 17:04:15:960 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.addRequestHeaders(HttpState, HttpConnection)
2006/08/08 17:04:15:960 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.addUserAgentRequestHeaders(HttpState, HttpConnection)
2006/08/08 17:04:15:960 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.addHostRequestHeader(HttpState, HttpConnection)
2006/08/08 17:04:15:960 CST [DEBUG] HttpMethodBase - Adding Host request
header
2006/08/08 17:04:15:960 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.addCookieRequestHeader(HttpState, HttpConnection)
2006/08/08 17:04:16:240 CST [TRACE] HttpState - enter
HttpState.getCookies()
2006/08/08 17:04:16:240 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.addProxyConnectionHeader(HttpState, HttpConnection)
2006/08/08 17:04:16:240 CST [DEBUG] header - >> "Set-Cookie:
JSESSIONID=39570AD89DD8BB6E781F68675787218E; Path=/whatever;
Secure[\r][\n]"
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.print(String)
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[])
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[], int, int)
2006/08/08 17:04:16:240 CST [DEBUG] header - >> "User-Agent: Jakarta
Commons-HttpClient/3.0.1[\r][\n]"
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.print(String)
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[])
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[], int, int)
2006/08/08 17:04:16:240 CST [DEBUG] header - >> "Host:
www.blahblah.com.hk[\r][\n]"
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.print(String)
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[])
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[], int, int)
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.writeLine()
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[])
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.write(byte[], int, int)
2006/08/08 17:04:16:240 CST [DEBUG] header - >> "[\r][\n]"
2006/08/08 17:04:16:240 CST [TRACE] HttpConnection - enter
HttpConnection.flushRequestOutputStream()
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Server
certificate 1:
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Subject DN:
<details remove>
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Signature
Algorithm: MD5withRSA
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Valid from:
Thu Sep 05 12:28:08 CST 2002
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Valid until:
Sun Sep 02 12:28:08 CST 2012
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Issuer:
<details removed>
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Server
certificate 2:
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Subject DN:
<actual details remove>
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Signature
Algorithm: MD5withRSA
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Valid from:
Mon Sep 16 09:23:26 CST 2002
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Valid until:
Thu Sep 13 09:23:26 CST 2012
2006/08/08 17:04:16:240 CST [INFO] AuthSSLX509TrustManager - Issuer:
<actual details removed>
2006/08/08 17:04:16:400 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.readResponse(HttpState, HttpConnection)
2006/08/08 17:04:16:400 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.readStatusLine(HttpState, HttpConnection)
2006/08/08 17:04:16:400 CST [TRACE] HttpConnection - enter
HttpConnection.readLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [DEBUG] header - << "HTTP/1.1 200 OK[\r][\n]"
2006/08/08 17:04:16:510 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.readResponseHeaders(HttpState,HttpConnection)
2006/08/08 17:04:16:510 CST [TRACE] HttpConnection - enter
HttpConnection.getResponseInputStream()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HeaderParser.parseHeaders(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readLine(InputStream, String)
2006/08/08 17:04:16:510 CST [TRACE] HttpParser - enter
HttpParser.readRawLine()
2006/08/08 17:04:16:510 CST [DEBUG] header - << "Date: Tue, 08 Aug 2006
09:14:46 GMT[\r][\n]"
2006/08/08 17:04:16:510 CST [DEBUG] header - << "Server: Apache/2.0.40 (Red
Hat Linux)[\r][\n]"
2006/08/08 17:04:16:510 CST [DEBUG] header - << "Set-Cookie:
JSESSIONID=C66251A65E8B28B254CAA1B3CC2D23D6; Path=/whatever;
Secure[\r][\n]"
2006/08/08 17:04:16:510 CST [DEBUG] header - << "Content-Length:
17[\r][\n]"
2006/08/08 17:04:16:510 CST [DEBUG] header - << "Connection: close[\r][\n]"
2006/08/08 17:04:16:510 CST [DEBUG] header - << "Content-Type:
text/plain;charset=Big5-HKSCS[\r][\n]"
2006/08/08 17:04:16:510 CST [DEBUG] header - << "X-Pad: avoid browser
bug[\r][\n]"
2006/08/08 17:04:16:510 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.processResponseHeaders(HttpState, HttpConnection)
2006/08/08 17:04:16:510 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.readResponseBody(HttpState, HttpConnection)
2006/08/08 17:04:16:510 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.readResponseBody(HttpConnection)
2006/08/08 17:04:16:510 CST [TRACE] HttpConnection - enter
HttpConnection.getResponseInputStream()
2006/08/08 17:04:16:510 CST [TRACE] HttpMethodBase - enter
HttpMethodBase.canResponseHaveBody(int)
2006/08/08 17:04:16:510 CST [DEBUG] content - << "<!access denied>[\n]"
Rsp: [<!access denied>]
2006/08/08 17:04:16:620 CST [DEBUG] HttpMethodBase - Should close
connection in response to directive: close
2006/08/08 17:04:16:620 CST [TRACE] HttpConnection - enter
HttpConnection.close()
2006/08/08 17:04:16:620 CST [TRACE] HttpConnection - enter
HttpConnection.closeSockedAndStreams()
2006/08/08 17:04:16:620 CST [TRACE] HttpConnection - enter
HttpConnection.releaseConnection()
2006/08/08 17:04:16:620 CST [DEBUG] HttpConnection - Releasing connection
back to connection manager.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: can I NOT have the cookie please
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2006-08-09 at 15:41 +0800, leung cc wrote:
> Ah, finally it's all working. I can now use either the GetMethod or the
> PostMethod to communicate with my servlet. When I used GET I coded the
> jsessionid thing wrong - should have written ";jsessionid=..." but instead
> I had it as "?jsessionid=...". If I use the PostMethod, I needed to send a
> cookie to the server telling it the session I wanted.
>
You could have just seeded the initial HTTP state with the session
cookie to achieve the same net result for all requests (GET, POST, etc)
HttpClient httpclient = new HttpClient();
String sessionId = "whatever";
Cookie cookie = new Cookie(
"www.blahblah.com.hk", "JSESSIONID", sessionId);
cookie.setPath("/");
cookie.setSecure(true);
httpclient.getState().addCookie(cookie);
Oleg
> But of course, whether I will have the dreaded "Connection timed out:
> connect" problem which opened up this can of worm for me in the first place
> remains to be seen. I hope the following code had extended the connection
> time out period and I will never get a timeout again:
>
> HttpClient httpClnt = new HttpClient();
> httpClnt.getParams().setParameter( "http.socket.timeout", new Integer(
> 60000 ) );
> httpClnt.getHttpConnectionManager().getParams().setConnectionTimeout( 30000
> );
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: can I NOT have the cookie please
Posted by leung cc <dk...@hotmail.com>.
Ah, finally it's all working. I can now use either the GetMethod or the
PostMethod to communicate with my servlet. When I used GET I coded the
jsessionid thing wrong - should have written ";jsessionid=..." but instead
I had it as "?jsessionid=...". If I use the PostMethod, I needed to send a
cookie to the server telling it the session I wanted.
But of course, whether I will have the dreaded "Connection timed out:
connect" problem which opened up this can of worm for me in the first place
remains to be seen. I hope the following code had extended the connection
time out period and I will never get a timeout again:
HttpClient httpClnt = new HttpClient();
httpClnt.getParams().setParameter( "http.socket.timeout", new Integer(
60000 ) );
httpClnt.getHttpConnectionManager().getParams().setConnectionTimeout( 30000
);
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: can I NOT have the cookie please
Posted by leung cc <dk...@hotmail.com>.
It's a great feeling talking to somebody in the know. Thank you!
>From: Oleg Kalnichevski <ol...@apache.org>
>Reply-To: "HttpClient User Discussion"
<ht...@jakarta.apache.org>
>To: HttpClient User Discussion <ht...@jakarta.apache.org>
>Subject: Re: can I NOT have the cookie please
>Date: Tue, 08 Aug 2006 12:08:02 +0200
>
>On Tue, 2006-08-08 at 17:41 +0800, leung cc wrote:
> > This is actually a problem that arised after I went about solving my
applet
> > + commons-httpclient -> https + client cert problem taking advice from
Oleg
> > and others here. Well, I customized Oleg's AuthSSLProtocolSocketFactory
and
> > succeeded in making a connection to the servlet in my applet. But it
> > appearedthat httpclient was sending a cookie of unknown origin to the
> > servlet and that caused the servlet to not recognize the session which
the
> > applet was supposed to be part of.
>
>Unless evil green men took over your servlet engine there should be no
>cookies of unknown origin.
Ok, I take it that you're saying the cookie came from my server (be it the
apache httpd or tomcat). And after your enligtening, I now think the
following part of my trace log indicated that the server was saying to the
client (httpclient in my applet) "store a cookie your side with this
content..." And it seems the servlet didn't see my request to be associated
with the existing session which the webpage containing the applet had
already established with the server - i.e. either it didn't see the
"jsessionid=..." parameter or was ignoring it. I actually printed out
"request.getRequestedSessionId()" in my servlet and it was "null".
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Date: Wed, 09 Aug 2006
01:22:08 GMT[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Server: Apache/2.0.40 (Red
Hat Linux)[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Set-Cookie:
JSESSIONID=2E3BE88203EE876C80EF4CD15CDBDD94; Path=/whatever;
Secure[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Content-Length:
17[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Connection: close[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Content-Type:
text/plain;charset=Big5-HKSCS[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "X-Pad: avoid browser
bug[\r][\n]"
> > So I changed to method to Get (was using
> > Post) and tried to advise the servlet of the correction session by
adding
> > "JSESSIONID=..." to the URL. I thought setting the cookie policy would
have
> > stopped httpclient from sending any cookies but I was wrong and so I
added
> > the setRequestHeader() call too (right, was shooting in the dark) but
that
> > didn't seem to improve it.
> >
> > GetMethod rqst = new GetMethod( "ccs" + Constants.APP_HOME_URL_PFX +
> > "/GiveLotOrCPCInfoAlt.jsp?JSESSIONID=" + this.httpSessId +
> > "&qkt=" + qryKeyType +
> > "&qk=" + URLEncoder.encode( psLotNum ) +
> > "&ak=" + URLEncoder.encode( acsKey ) );
> >
> > rqst.getParams().setCookiePolicy( CookiePolicy.IGNORE_COOKIES );
>
>Try setting the cookie policy on the host or the client level and see if
>that makes a difference.
I set the IGNORE_COOKIES policy on the HttpClient and it made no
difference. Didn't try it on the host level because I think it the client
level is more encompassing than that - Ok, and I admit I'm too lazy to
modify the URL to be relative.
>http://jakarta.apache.org/commons/httpclient/preference-api.html
>
> > rqst.setRequestHeader( "Set-Cookie",
> > "JSESSIONID=" + this.httpSessId +
> > "; Path=/whatever; Secure" ); // HC
> >
>
>This is wrong. At the very list the header name should be "Cookie".
>Besides you'll be much better off if you left cookie management to one
>of the HttpClient's cookie specs.
OK, I will change "Set-Cookie" to "Cookie" to see if that makes any
difference and then get rid of it altogether if it doesn't.
Ah huh, news flash, it did work - the servlet recognized my request to be
associated with that particular session, so now I can get forget about
sticking "jsessionid=" in the URL? I will let you know how I fair down that
path.
> > Now, my questions are:
> >
> > 1. My servlet side is arranged with apache in the forefront and tomcat
at
> > the back, so maybe tomcat isn't seeing the jsessionid info and I should
> > tell Apache rather than tomcat what the session I want? If this isn't
> > clear, let me say this: in my case apache is our webserver which is
> > listening for both http and https requests and tomcat only runs the jsp
> > programs - although tomcat can serve as a webserver, we are NOT using
that
> > functionality of its.
> >
>
>Per default Apache HTTP server should not mess around with session
>cookies. If your browser can maintain sessions when accessing the web
>app hosted in Tomcat, so could HttpClient.
I was turning to the GET method and messing with adding "jsessionid=..." on
the URL since I thought there was no hope I could get it to work with a
cookie (with the one maintained by the browser or one of my own). Looks
like I am wrong now.
> > 3. Httpclient is sending a cookie that contained the desired session id
to
> > the server, where did it get the idea of the session id from? The
webpage
> > where my applet is contained has a different session id, which I tried
> > totell the servlet with the "jsessionid=..." parameter to the URL.
>Just stick the session cookie obtained from the browser into HttpState
>prior to executing requests which you would like to be associated with
>that session. If you fail to do so, the servlet engine will initiate a
>new session for those request.
If I fail with sending a "Cookie" header, I will go down that path.
> > And I wonder if any authors/contributors of httpclient can be bothered
to
> > look into the possibility of smoothly deploying httpclient in an applet
-
> > you know, where the user (ok, us programmers) don't have to worry about
> > session, certs and things like that. I can't see Oleg being interested
> > because he told me he'd avoid applets, too bad. :(
> >
>
>The problem you are having has nothing to do with applets. Just fix your
>session management code and you'll be fine
I was wishing I could use httpclient in applets much like Sun's URL +
HttpURLConnection - i.e. I don't have to do anything to get the client
certificate sent in, the session requested right and things like that.
Right, I'm wishing for too much perhaps and there doesn't seem to be enough
interest in getting httpclient to work especially well in applets even when
you have https, client certificate and things like that in the picture.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: can I NOT have the cookie please
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2006-08-08 at 17:41 +0800, leung cc wrote:
> This is actually a problem that arised after I went about solving my applet
> + commons-httpclient -> https + client cert problem taking advice from Oleg
> and others here. Well, I customized Oleg's AuthSSLProtocolSocketFactory and
> succeeded in making a connection to the servlet in my applet. But it
> appearedthat httpclient was sending a cookie of unknown origin to the
> servlet and that caused the servlet to not recognize the session which the
> applet was supposed to be part of.
Unless evil green men took over your servlet engine there should be no
cookies of unknown origin.
> So I changed to method to Get (was using
> Post) and tried to advise the servlet of the correction session by adding
> "JSESSIONID=..." to the URL. I thought setting the cookie policy would have
> stopped httpclient from sending any cookies but I was wrong and so I added
> the setRequestHeader() call too (right, was shooting in the dark) but that
> didn't seem to improve it.
>
> GetMethod rqst = new GetMethod( "ccs" + Constants.APP_HOME_URL_PFX +
> "/GiveLotOrCPCInfoAlt.jsp?JSESSIONID=" + this.httpSessId +
> "&qkt=" + qryKeyType +
> "&qk=" + URLEncoder.encode( psLotNum ) +
> "&ak=" + URLEncoder.encode( acsKey ) );
>
> rqst.getParams().setCookiePolicy( CookiePolicy.IGNORE_COOKIES );
Try setting the cookie policy on the host or the client level and see if
that makes a difference.
http://jakarta.apache.org/commons/httpclient/preference-api.html
> rqst.setRequestHeader( "Set-Cookie",
> "JSESSIONID=" + this.httpSessId +
> "; Path=/whatever; Secure" ); // HC
>
This is wrong. At the very list the header name should be "Cookie".
Besides you'll be much better off if you left cookie management to one
of the HttpClient's cookie specs.
> Now, my questions are:
>
> 1. My servlet side is arranged with apache in the forefront and tomcat at
> the back, so maybe tomcat isn't seeing the jsessionid info and I should
> tell Apache rather than tomcat what the session I want? If this isn't
> clear, let me say this: in my case apache is our webserver which is
> listening for both http and https requests and tomcat only runs the jsp
> programs - although tomcat can serve as a webserver, we are NOT using that
> functionality of its.
>
Per default Apache HTTP server should not mess around with session
cookies. If your browser can maintain sessions when accessing the web
app hosted in Tomcat, so could HttpClient.
> Now, how does one tell apache the session id on the URL (not cookie)?
>
> 2. What's the "Set-Cookie" header? How is it different from the "Cookie"
> header?
>
See http://rfc.net/rfc2109.html
> 3. Httpclient is sending a cookie that contained the desired session id to
> the server, where did it get the idea of the session id from? The webpage
> where my applet is contained has a different session id, which I tried
> totell the servlet with the "jsessionid=..." parameter to the URL.
>
Just stick the session cookie obtained from the browser into HttpState
prior to executing requests which you would like to be associated with
that session. If you fail to do so, the servlet engine will initiate a
new session for those request.
> And I wonder if any authors/contributors of httpclient can be bothered to
> look into the possibility of smoothly deploying httpclient in an applet -
> you know, where the user (ok, us programmers) don't have to worry about
> session, certs and things like that. I can't see Oleg being interested
> because he told me he'd avoid applets, too bad. :(
>
The problem you are having has nothing to do with applets. Just fix your
session management code and you'll be fine
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org