You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Sascha Hesse <sj...@gmail.com> on 2011/06/08 11:18:51 UTC

Tomcat 7.0.14 / 6.0.32 session gets obviously invalid after request / JSESSIONID changes

Hello all,

I'm hosting our spring mvc 3.0.5 application in tomcat 7.0.14 and also
tried 6.0.32

The server is hosting two webapps.

The frontend: http://localhost:50012/frontend
The backend: http://localhost:50012/backend

The Request-Flow looks as following:

User: http://localhost:50012/frontend/index.htm
                AJAX Frontend:
http://localhost:50012/frontend/setFilter.htm
                AJAX Backend:
http://localhost:50012/backend/setFilter.htm
User: onClick()
         AJAX Frontend: http://localhost:50012/frontend/setFilter.htm
         AJAX Backend: http://localhost:50012/backend/setFilter.htm


The corresponding request-pairs to frontend and backend should be
identified via the sessionID.

Tomcat is doing that via Cookie JSESSIONID. I configured Tomcat
according to https://issues.apache.org/bugzilla/show_bug.cgi?id=48379
<Context sessionCookiePath="/" sessionCookieDomain=".localhost">

If I look into the cookies in request and response the following
happens (note I shortened the sessionIds)


 User: http://localhost:50012/frontend/index.htm
     ResponseHeader: -
     RequestHeader: JSESSIONID=1
AJAX Frontend: http://localhost:50012/frontend/setFilter.htm
     ResponseHeader: -
     RequestHeader: JSESSIONID=1
AJAX Backend: http://localhost:50012/backend/setFilter.htm
     ResponseHeader: set JSESSIONID=2
     RequestHeader: JSESSIONID=1
User: onClick()
AJAX Frontend: http://localhost:50012/frontend/setFilter.htm
     ResponseHeader: setJSESSIONID=3
     RequestHeader: JSESSIONID=2
AJAX Backend: http://localhost:50012/backend/setFilter.htm
     ResponseHeader: -
     RequestHeader: JSESSIONID=2

...the sessionID alsways changes when I'm requesting the other
context. Has anyone a hint according to this?

Kind regards

Sascha

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.14 / 6.0.32 session gets obviously invalid after request / JSESSIONID changes

Posted by Sascha Hesse <sj...@gmail.com>.

it was set in a header.
But I already figured out what the Problem was.
For the Browser (Firefox 4) .localhost is not a valid domain for a cookie.
Some documents on the web say, that for localhost domain has to be empty.
This also didn't work.
The solution was requesting the service with a full qualified hostname
and then setting the cookie according to the fqn.

Hope this helps everybody who runs in the same pitfall.

Regards Sascha

> Does the AJAX javascript set the session id in a cookie header, or
> append it as a path attribute?
>
> You can't rely on the browser to do this automagically for you in most
> AJAX libs.
>
>
> p
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7.0.14 / 6.0.32 session gets obviously invalid after request / JSESSIONID changes

Posted by Pid <pi...@pidster.com>.

On 08/06/2011 10:18, Sascha Hesse wrote:
> Hello all,
> 
> I'm hosting our spring mvc 3.0.5 application in tomcat 7.0.14 and also
> tried 6.0.32
> 
> The server is hosting two webapps.
> 
> The frontend: http://localhost:50012/frontend
> The backend: http://localhost:50012/backend
> 
> The Request-Flow looks as following:
> 
> User: http://localhost:50012/frontend/index.htm
>                 AJAX Frontend:
> http://localhost:50012/frontend/setFilter.htm
>                 AJAX Backend:
> http://localhost:50012/backend/setFilter.htm
> User: onClick()
>          AJAX Frontend: http://localhost:50012/frontend/setFilter.htm
>          AJAX Backend: http://localhost:50012/backend/setFilter.htm
> 
> 
> The corresponding request-pairs to frontend and backend should be
> identified via the sessionID.
> 
> Tomcat is doing that via Cookie JSESSIONID. I configured Tomcat
> according to https://issues.apache.org/bugzilla/show_bug.cgi?id=48379
> <Context sessionCookiePath="/" sessionCookieDomain=".localhost">
> 
> If I look into the cookies in request and response the following
> happens (note I shortened the sessionIds)
> 
> 
>  User: http://localhost:50012/frontend/index.htm
>      ResponseHeader: -
>      RequestHeader: JSESSIONID=1
> AJAX Frontend: http://localhost:50012/frontend/setFilter.htm
>      ResponseHeader: -
>      RequestHeader: JSESSIONID=1
> AJAX Backend: http://localhost:50012/backend/setFilter.htm
>      ResponseHeader: set JSESSIONID=2
>      RequestHeader: JSESSIONID=1
> User: onClick()
> AJAX Frontend: http://localhost:50012/frontend/setFilter.htm
>      ResponseHeader: setJSESSIONID=3
>      RequestHeader: JSESSIONID=2
> AJAX Backend: http://localhost:50012/backend/setFilter.htm
>      ResponseHeader: -
>      RequestHeader: JSESSIONID=2
> 
> ...the sessionID alsways changes when I'm requesting the other
> context. Has anyone a hint according to this?

Does the AJAX javascript set the session id in a cookie header, or
append it as a path attribute?

You can't rely on the browser to do this automagically for you in most
AJAX libs.


p