You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/01/12 02:43:23 UTC

DO NOT REPLY [Bug 44216] New: - Don't reuse session ID even if emptySessionPath=true

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44216>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44216

           Summary: Don't reuse session ID even if emptySessionPath=true
           Product: Tomcat 5
           Version: Unknown
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: nahor.j+tomcat@gmail.com


Context:
- I want my webapp to use "nice" URL for a user's homepage (e.g.
"http://server/user") which is then redirected server side to the real URL (e.g.
"http://server/servlet/home?user=user"). This requires to use "emptySessionPath".
- I'm using a load-balancer with two Tomcat servers (say T1 and T2) with sticky
sessions (xxx.t1, yyy.t2, ...).
- Because some http client don't support cookies or are started by another http
client (e.g. progressive video download in Media Player started by clicking in
link in Firefox), some links have the session id in the URL (e.g.
http://server/servlet/stream/yyy.t2/music.mp3).

Broken case:
- The user navigates to the website and get the session "yyy.t2"from T2.
- He then bookmarks a URL with session id in it like the one above.
- The next day, he navigates to the website again and get the session "xxx.t1"
from T1.
- He then selects bookmarked URL.
=> The request is redirected to T2. The session is invalid so a new one is
created. But because of the cookie, the session id is "xxx.t1".

So now we have a session created on T2 with a jvmRoute t1. So the following
requests will be send to T1 instead of T2 with an inconsistent (or even expired)
session.

There should be two independent options:
- emptySessionPath which only change the path of the session cookie but nothing else
- reuseSessionID which will reuse the session id from the cookie if available

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org