You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by sp...@gmx.eu on 2011/01/14 21:12:50 UTC
Applet, session-ID - TC 6 vs. TC7
Hi,
I have a web app where the user logs in and starts an applet which uploads a
file and then opens a page in the browser. I use Java 1.6_16.
When I do this in TC 6.0.13 the session-ID stays the same after login. Fine.
When I do this in TC 7.0.5 the session-ID changes when the applet starts to
communicate with the server. So the user is losing his login and the app is
broken.
What feature in TC 7 leads to this problem? The new session fixation
prevention?
How can I solve this?
Thank you
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Applet, session-ID - TC 6 vs. TC7
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To whom it may concern,
On 1/15/2011 7:36 AM, spring@gmx.eu wrote:
>> Well, saying you use Form auth was misleading, wasn't it?
>
> Is called FormAuth in Spring too.
While that may be true, simply stating that you are using FORM
authentication usually leads people to think that you are using the
container's FORM authenticator. Were we supposed to guess that you were
using Spring?
>> If you're using Spring Security maybe your question would be better
>> addressed to one of the Spring forums?
>
> Hm. But it works in TC 6.0 with the same version of spring.
It is still worth asking the Spring folks. Presumably, they know how
their authenticator interacts with various containers.
>>>> Are you unable to retrieve the new session id?
>>> This is all done magically by the Applet-Java-Runtime.
>>>
>>
>> Really... ?
>
> Somehow the Java-Browser-Plugin is communicating with the browser and when
> you are doing HTTP request from within an applet, the session cookie gets
> automatically sent too.
If the applet is sniffing the session id from the browser, then it
should always be correct: when Tomcat changes your session id, it tells
the browser what the new one is using a Set-Cookie response header. If
that occurs /before/ the applet loads, then the applet should never see
the old session id and you shouldn't have a problem.
It sounds like your situation is a bit more complicated. Perhaps you
could walk us through the scenario?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk014DwACgkQ9CaO5/Lv0PCJGQCdFC/kQuZi2LS1RkhhdU8Og3Fc
LIwAn1kBBzARx7+ChdLVtYe6LusEGrHv
=mTkR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Applet, session-ID - TC 6 vs. TC7
Posted by sp...@gmx.eu.
> Well, saying you use Form auth was misleading, wasn't it?
Is called FormAuth in Spring too.
> If you're using Spring Security maybe your question would be better
> addressed to one of the Spring forums?
Hm. But it works in TC 6.0 with the same version of spring.
> >> Are you unable to retrieve the new session id?
> > This is all done magically by the Applet-Java-Runtime.
> >
>
> Really... ?
Somehow the Java-Browser-Plugin is communicating with the browser and when
you are doing HTTP request from within an applet, the session cookie gets
automatically sent too.
And here something goes wrong when the applet talks to TC 7.0.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Applet, session-ID - TC 6 vs. TC7
Posted by Pid <pi...@pidster.com>.
On 1/15/11 11:00 AM, spring@gmx.eu wrote:
>>> Hm, ok. I do not use tomcat's auth mechanisms. I use spring
>> security.
>>> Something must have changed between TC 6.0 and 7.0. And I
>> have no idea
>>> what...
>>
>> As has already been explained, the session ID changes on
>> authentication.
>
> What do you mean with authentication? I do NOT use tomcat's auth mechanisms.
Well, saying you use Form auth was misleading, wasn't it?
If you're using Spring Security maybe your question would be better
addressed to one of the Spring forums?
>> Are you unable to retrieve the new session id?
> This is all done magically by the Applet-Java-Runtime.
>
Really... ?
p
> What kind of event let tomcat change the session id?
> And how can I disable this behaviour?
>
> Thank you!
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: Applet, session-ID - TC 6 vs. TC7
Posted by sp...@gmx.eu.
> > Hm, ok. I do not use tomcat's auth mechanisms. I use spring
> security.
> > Something must have changed between TC 6.0 and 7.0. And I
> have no idea
> > what...
>
> As has already been explained, the session ID changes on
> authentication.
What do you mean with authentication? I do NOT use tomcat's auth mechanisms.
What kind of event let tomcat change the session id?
And how can I disable this behaviour?
Thank you!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Applet, session-ID - TC 6 vs. TC7
Posted by Mark Thomas <ma...@apache.org>.
On 15/01/2011 09:59, spring@gmx.eu wrote:
>> The behaviour is configurable. Set the changeSessionIdOnAuthentication
>> attribute to false on the FORM authenticator valve
>
> Hm, ok. I do not use tomcat's auth mechanisms. I use spring security.
> Something must have changed between TC 6.0 and 7.0. And I have no idea
> what...
As has already been explained, the session ID changes on authentication.
This is listed in the change log.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Applet, session-ID - TC 6 vs. TC7
Posted by sp...@gmx.eu.
> The behaviour is configurable. Set the changeSessionIdOnAuthentication
> attribute to false on the FORM authenticator valve
Hm, ok. I do not use tomcat's auth mechanisms. I use spring security.
Something must have changed between TC 6.0 and 7.0. And I have no idea
what...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Applet, session-ID - TC 6 vs. TC7
Posted by Mark Thomas <ma...@apache.org>.
On 14/01/2011 23:15, spring@gmx.eu wrote:
>> Are you unable to retrieve the new session id?
>
> This is all done magically by the Applet-Java-Runtime.
>
>> Programmatic login is now possible in Servlet 3.0, would this help?
>
> I know, but the applet does NOT know the credentials.
The behaviour is configurable. Set the changeSessionIdOnAuthentication
attribute to false on the FORM authenticator valve
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Applet, session-ID - TC 6 vs. TC7
Posted by sp...@gmx.eu.
> Are you unable to retrieve the new session id?
This is all done magically by the Applet-Java-Runtime.
> Programmatic login is now possible in Servlet 3.0, would this help?
I know, but the applet does NOT know the credentials.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Applet, session-ID - TC 6 vs. TC7
Posted by Pid <pi...@pidster.com>.
On 1/14/11 10:13 PM, spring@gmx.eu wrote:
>> What are you using the session id for?
>
> I use form auth. Subsequent calls after a successful login in the same
> session are not authenticated again.
> This is standard I would say.
Are you unable to retrieve the new session id?
>> Don't rely on the session id remaining the same.
>
> Then the applet has to know the user credentials and has to post to the
> login servlet. This is not possible (3rd party applet).
Programmatic login is now possible in Servlet 3.0, would this help?
See:
http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletRequest.html#login(java.lang.String, java.lang.String)
p
RE: Applet, session-ID - TC 6 vs. TC7
Posted by sp...@gmx.eu.
> What are you using the session id for?
I use form auth. Subsequent calls after a successful login in the same
session are not authenticated again.
This is standard I would say.
> Don't rely on the session id remaining the same.
Then the applet has to know the user credentials and has to post to the
login servlet. This is not possible (3rd party applet).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Applet, session-ID - TC 6 vs. TC7
Posted by Pid <pi...@pidster.com>.
On 1/14/11 8:12 PM, spring@gmx.eu wrote:
> Hi,
>
> I have a web app where the user logs in and starts an applet which uploads a
> file and then opens a page in the browser. I use Java 1.6_16.
>
> When I do this in TC 6.0.13 the session-ID stays the same after login. Fine.
> When I do this in TC 7.0.5 the session-ID changes when the applet starts to
> communicate with the server. So the user is losing his login and the app is
> broken.
>
> What feature in TC 7 leads to this problem? The new session fixation
> prevention?
It's only a problem if you rely on the session id not changing. The
session id changes in recent versions of Tomcat 6 too - yours is
extremely old, many bugs have been fixed since it was released.
What are you using the session id for?
> How can I solve this?
Don't rely on the session id remaining the same.
p
> Thank you
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>