You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jerry Malcolm <2n...@gmail.com> on 2011/12/31 07:33:35 UTC
Different session id per page
I have a web app that's worked for years. I had to go in and do some
renovations on it due to a few new requirements. Now for some reason, I'm
getting a new/different session id for each page. It's easy to see that's
what happening since I use the sessionid for a log file name. Where I used
to get one log file when clicking through a series of pages, I now get a
bunch of logging files. This is a problem since I store data in the
session object between pages. And now the pages cannot find the data. This
is on TC 7.
The only major thing I'm doing differently now that I can figure might
affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at
straws. I really don't see how mod_rewrite would be preventing session
data from passing through. Or could it?
The way I understand it, it's simply a session key that's passed back and
forth as a cookie, right?
Any ideas why I'm losing my sessions on each page?
Thx
Jerry
Re: Different session id per page
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 1:59 PM, Jerry Malcolm wrote:
> Thanks, Tim. But that wasn't the problem. I've figured out what's
> happening. But I'm even more confused about how to move forward knowing
> that now.
>
> I've got a relatively simple situation. I have three pages that I am
> mapping to clean URLs in httpd mod_rewrite.
>
> /cart = /order/jsp/guest/cart.jsp
> /locateaccount = /order/jsp/guest/locateaccount.jsp
> /checkout = /order/jsp/guest/checkout.jsp
>
> I looked at my firefox cookies, and I have a cookie for /order. It makes
> sense that /order would be the cookie that's sent back from TC, since
> that's the URL that TC sees. It's obvious to me now that when Firefox
> requests the page "/locateaccount" it has no cookie to send for
> "/locateaccount", since the cookie it should be sending is labeled
> "/order", and firefox has no knowledge of the /order prefix
>
> OK, it's clear what's happening. But am I just out of luck? My client has
> requested clean URLs. But this has been nothing but a headache from the
> start.
>
> Am I missing something really obvious? Is there any possible way to
> configure TC such that the three URLs above, with the URL mappings as
> described, can keep track of one session?
>
> How does TC decide what path to store the session id cookie under? Again,
> I saw a cookie for /order. But I also saw a cookie for another webapp for
> /idmanager/jsp/user. I don't want to change all my urls to /order/cart,
> /order/checkout, etc. only to find out TC might send /order/jsp/guest for
> the session path in some situation. If there was a way to tell TC to use
> "/" as the path, that would work in this case. But in the broader picture,
> I have more than one web app on this host. There are separate sessions for
> each webapp, right? So in that case the browser couldn't keep them
> separate if they were all mapped to "/", right?
>
> Bottom line... is the mapping above with a single session possible?
>
> Thx
>
> Jerry
>
> On Sat, Dec 31, 2011 at 1:28 AM, Tim Watts<ti...@cliftonfarm.org> wrote:
>
>> On Sat, 2011-12-31 at 00:33 -0600, Jerry Malcolm wrote:
>>> I have a web app that's worked for years. I had to go in and do some
>>> renovations on it due to a few new requirements. Now for some reason,
>> I'm
>>> getting a new/different session id for each page. It's easy to see
>> that's
>>> what happening since I use the sessionid for a log file name. Where I
>> used
>>> to get one log file when clicking through a series of pages, I now get a
>>> bunch of logging files. This is a problem since I store data in the
>>> session object between pages. And now the pages cannot find the data.
>> This
>>> is on TC 7.
>>>
>>> The only major thing I'm doing differently now that I can figure might
>>> affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at
>>> straws. I really don't see how mod_rewrite would be preventing session
>>> data from passing through. Or could it?
>>>
>>> The way I understand it, it's simply a session key that's passed back and
>>> forth as a cookie, right?
>>>
>> The session ID could also be embedded in the URL and perhaps mod_rewrite
>> is dropping it. You could compare the access logs in httpd vs tomcat
>> (enable them in tomcat if necessary).
>>
>>
>>> Any ideas why I'm losing my sessions on each page?
>>>
>>> Thx
>>>
>>> Jerry
Hi, Jerry-
It seems like you could simplify things if you mapped:
/order/jsp/guest/cart.jsp to /order/cart
/order/jsp/guest/locateaccount.jsp to /order/locateaccount
/order/jsp/guest/checkout.jsp to /order/checkout
Apparently, /order is the context path for these pages which, I believe,
is the default for the cookie session path. These mappings could be
defined in web.xml which would eliminate the need for URL rewriting.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Different session id per page
Posted by Rainer Jung <ra...@kippdata.de>.
On 31.12.2011 18:37, Caldarale, Charles R wrote:
>> From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com]
>> Subject: Re: Different session id per page
>
>> If there was a way to tell TC to use "/" as the path, that would
>> work in this case.
>
> Look at the sessionCookiePath attribute for<Context> and see if that will help:
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
Yes, you can change the path of the session cookie used by Tomcat, and
in case you need to change it to "/", you can also change the name of
the session cookie to make sure you won't run into a conflict with
another Java webapp session cookie used on the same server.
The alternative is rewriting the cokie at the reverse proxy (Apache Web
Server), using mod_headers or to cookie rewriting feature if mod_proxy.
A cookie set by the server (Tomcat) is just a "Cookie" response header,
which you can change dynamically at the reverse proxy to account for
reversing your URL rewriting for requests.
Some info about that is also avilable at
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting
If you are using mod_proxy, please have a look at the mod_proxy docs.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Different session id per page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jerry,
On 12/31/11 5:44 PM, Jerry Malcolm wrote:
> Chuck, the sessionCookiePath link you referenced says that all web
> apps can use the same cookie path ("/"). That means that several
> independent web applications will have to share the same session
> object, right? I have no problem with that if that really works.
> Just want to confirm that I am indeed understanding this correctly.
> There's no problem with several webapps sharing a common session
> object?
I would *highly* recommend against combining URL spaces of different
webapps. If you just want to map your /orders webapp to /, then that's
fine, but if you have separate webapps, you're going to want to keep
the cookie paths distinct from each other. To do otherwise will cause
all kinds of problems with webapps trashing each other's JSESSIONID
cookie values.
Another option would be to set the cookie name. You can do that in
recent versions of Tomcat. Check the <Context> documentation for how
to do it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8COnEACgkQ9CaO5/Lv0PBzXQCfZWnB6KK5fnnxhMHYqGHyfGM0
eAgAn1ll6QWFejuq+w2CB7Ag5H7bBOeW
=Sto9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Different session id per page
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com]
> Subject: Re: Different session id per page
> the sessionCookiePath link you referenced says that all web apps can
> use the same cookie path ("/").
They can, but you don't have to use it that way. Each webapp can have its own sessionCookiePath value, unrelated to the URL used to access the webapp.
> That means that several independent web applications will have to share
> the same session object, right?
No, session objects are still unique per <Context> (required by the spec).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Different session id per page
Posted by Jerry Malcolm <2n...@gmail.com>.
Chuck, the sessionCookiePath link you referenced says that all web apps can
use the same cookie path ("/"). That means that several independent web
applications will have to share the same session object, right? I have no
problem with that if that really works. Just want to confirm that I am
indeed understanding this correctly. There's no problem with several
webapps sharing a common session object?
Or is it only the session "ID" that's common, and each web app still has
it's own separate namespace for it's sessions? So there are still separate
sessions, Each one is named "xyz", but it's actually 'webapp1-xyz' and
webapp2-xyz', etc.?
I guess if it works, it works, and I shouldn't care what goes on under the
hood. But every time I make that assumption, something jumps up and bites
my.....
Thx.
On Sat, Dec 31, 2011 at 4:35 PM, Jerry Malcolm <2n...@gmail.com>wrote:
> Andre,
>
> In mod_rewrite it talks about setting a cookie when a rewrite rule hit
> occurs. But I can't find anything about back-translation of cookie paths.
> Was that was what you meant? Still not sure how that would work. Seems
> like i would need a way to tell the browser that URLs /cart,
> /locateaccount, /checkout all use the /order cookie. How would that work?
>
>
>
>
>
> On Sat, Dec 31, 2011 at 11:37 AM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
>
>> > From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com]
>> > Subject: Re: Different session id per page
>>
>> > If there was a way to tell TC to use "/" as the path, that would
>> > work in this case.
>>
>> Look at the sessionCookiePath attribute for <Context> and see if that
>> will help:
>>
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Different session id per page
Posted by André Warnier <aw...@ice-sa.com>.
Jerry Malcolm wrote:
> Andre,
>
> In mod_rewrite it talks about setting a cookie when a rewrite rule hit
> occurs. But I can't find anything about back-translation of cookie paths.
> Was that was what you meant? Still not sure how that would work. Seems
> like i would need a way to tell the browser that URLs /cart,
> /locateaccount, /checkout all use the /order cookie. How would that work?
>
In perl (programming language) circles, we use the TIMTOWTDI acronym to mean "there is
more than one way to do it", which is true for most things in perl.
To connect Apache and Tomcat, this applies too, which does not make for easy or short
explanations..
By now, you already got a few hints from Chuck and Rainer and others, but here is the
grand scheme :
To proxy requests from Apache to Tomcat, there are 3 methods :
a) using mod_proxy and HTTP :
Apache + mod_proxy + mod_proxy_http <-- HTTP(S) protocol --> Tomcat HTTP(S) Connector
b) using AJP :
b.1) using mod_proxy and AJP :
Apache + mod_proxy + mod_proxy_ajp <-- AJP protocol --> Tomcat AJP Connector
b.2) using mod_jk and AJP :
Apache + mod_jk <-- AJP protocol --> Tomcat AJP Connector
Each of the above methods has advantages and inconvenients, and its own fan club.
If you are using (a) or (b.1), then you are using mod_proxy at the Apache level, and you
have access to the directives which mod_proxy provides, which include the
ProxyPassReverseCookiePath
directive, which would do exactly what you want.
(http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreversecookiepath)
Also, with the ProxyPass directive, you can do some of the URL rewrite logic which you
currently do with mod_rewrite.
For example, you can rather easily do things like
ProxyPass /original/url ajp://tomcat/some/other/url
And if you need more complicated rewriting, you can use mod_rewrite and mod_proxy in
succession (mod_rewrite does its thing first, and then mod_proxy proxies).
If you are using (b.2) at the Apache level, then things are a bit more complicated, if you
are also using mod_rewrite to rewrite the URLs before proxying the requests to Tomcat.
That's because mod_jk itself does not provide a directive that is equivalent to the
mod_proxy "ProxyPassReverseCookiePath" directive.
So in that case, you would use another Apache module (mod_headers, see
http://httpd.apache.org/docs/2.2/mod/mod_headers.html), to rewrite the "Set-Cookie"
response headers which come back from Tomcat, before they are sent back to the browser.
(That is what Rainer was hinting at).
Or, you could do the cookie manipulation at the Tomcat level, which in your case might be
the easiest thing to do and is valid no matter how you set up the front-end.
(That is what Chuck is talking about, with a complement by Rainer).
Hope this makes things a bit clearer.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Different session id per page
Posted by Jerry Malcolm <2n...@gmail.com>.
Andre,
In mod_rewrite it talks about setting a cookie when a rewrite rule hit
occurs. But I can't find anything about back-translation of cookie paths.
Was that was what you meant? Still not sure how that would work. Seems
like i would need a way to tell the browser that URLs /cart,
/locateaccount, /checkout all use the /order cookie. How would that work?
On Sat, Dec 31, 2011 at 11:37 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com]
> > Subject: Re: Different session id per page
>
> > If there was a way to tell TC to use "/" as the path, that would
> > work in this case.
>
> Look at the sessionCookiePath attribute for <Context> and see if that will
> help:
>
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Different session id per page
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com]
> Subject: Re: Different session id per page
> If there was a way to tell TC to use "/" as the path, that would
> work in this case.
Look at the sessionCookiePath attribute for <Context> and see if that will help:
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Different session id per page
Posted by Jerry Malcolm <2n...@gmail.com>.
Andre,
That's good news. I know less than 1% of what I need to know about
mod_rewrite. So that is definitely a possibility. I'll do some digging
into that.
Thanks so much.
Jerry
On Sat, Dec 31, 2011 at 11:19 AM, André Warnier <aw...@ice-sa.com> wrote:
> Jerry Malcolm wrote:
>
>> Thanks, Tim. But that wasn't the problem. I've figured out what's
>> happening. But I'm even more confused about how to move forward knowing
>> that now.
>>
>> I've got a relatively simple situation. I have three pages that I am
>> mapping to clean URLs in httpd mod_rewrite.
>>
>> /cart = /order/jsp/guest/cart.jsp
>> /locateaccount = /order/jsp/guest/**locateaccount.jsp
>> /checkout = /order/jsp/guest/checkout.jsp
>>
>> I looked at my firefox cookies, and I have a cookie for /order. It makes
>> sense that /order would be the cookie that's sent back from TC, since
>> that's the URL that TC sees. It's obvious to me now that when Firefox
>> requests the page "/locateaccount" it has no cookie to send for
>> "/locateaccount", since the cookie it should be sending is labeled
>> "/order", and firefox has no knowledge of the /order prefix
>>
>> OK, it's clear what's happening. But am I just out of luck? My client has
>> requested clean URLs. But this has been nothing but a headache from the
>> start.
>>
>> Am I missing something really obvious?
>>
>
> Maybe. Unless I am mistaken, in mod_rewrite (or mod_proxy), there are
> directives to rewrite cookie paths too, in the response coming from Tomcat
> and before they get forwarded back to the browser.
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Different session id per page
Posted by André Warnier <aw...@ice-sa.com>.
Jerry Malcolm wrote:
> Thanks, Tim. But that wasn't the problem. I've figured out what's
> happening. But I'm even more confused about how to move forward knowing
> that now.
>
> I've got a relatively simple situation. I have three pages that I am
> mapping to clean URLs in httpd mod_rewrite.
>
> /cart = /order/jsp/guest/cart.jsp
> /locateaccount = /order/jsp/guest/locateaccount.jsp
> /checkout = /order/jsp/guest/checkout.jsp
>
> I looked at my firefox cookies, and I have a cookie for /order. It makes
> sense that /order would be the cookie that's sent back from TC, since
> that's the URL that TC sees. It's obvious to me now that when Firefox
> requests the page "/locateaccount" it has no cookie to send for
> "/locateaccount", since the cookie it should be sending is labeled
> "/order", and firefox has no knowledge of the /order prefix
>
> OK, it's clear what's happening. But am I just out of luck? My client has
> requested clean URLs. But this has been nothing but a headache from the
> start.
>
> Am I missing something really obvious?
Maybe. Unless I am mistaken, in mod_rewrite (or mod_proxy), there are directives to
rewrite cookie paths too, in the response coming from Tomcat and before they get forwarded
back to the browser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Different session id per page
Posted by Jerry Malcolm <2n...@gmail.com>.
Thanks, Tim. But that wasn't the problem. I've figured out what's
happening. But I'm even more confused about how to move forward knowing
that now.
I've got a relatively simple situation. I have three pages that I am
mapping to clean URLs in httpd mod_rewrite.
/cart = /order/jsp/guest/cart.jsp
/locateaccount = /order/jsp/guest/locateaccount.jsp
/checkout = /order/jsp/guest/checkout.jsp
I looked at my firefox cookies, and I have a cookie for /order. It makes
sense that /order would be the cookie that's sent back from TC, since
that's the URL that TC sees. It's obvious to me now that when Firefox
requests the page "/locateaccount" it has no cookie to send for
"/locateaccount", since the cookie it should be sending is labeled
"/order", and firefox has no knowledge of the /order prefix
OK, it's clear what's happening. But am I just out of luck? My client has
requested clean URLs. But this has been nothing but a headache from the
start.
Am I missing something really obvious? Is there any possible way to
configure TC such that the three URLs above, with the URL mappings as
described, can keep track of one session?
How does TC decide what path to store the session id cookie under? Again,
I saw a cookie for /order. But I also saw a cookie for another webapp for
/idmanager/jsp/user. I don't want to change all my urls to /order/cart,
/order/checkout, etc. only to find out TC might send /order/jsp/guest for
the session path in some situation. If there was a way to tell TC to use
"/" as the path, that would work in this case. But in the broader picture,
I have more than one web app on this host. There are separate sessions for
each webapp, right? So in that case the browser couldn't keep them
separate if they were all mapped to "/", right?
Bottom line... is the mapping above with a single session possible?
Thx
Jerry
On Sat, Dec 31, 2011 at 1:28 AM, Tim Watts <ti...@cliftonfarm.org> wrote:
> On Sat, 2011-12-31 at 00:33 -0600, Jerry Malcolm wrote:
> > I have a web app that's worked for years. I had to go in and do some
> > renovations on it due to a few new requirements. Now for some reason,
> I'm
> > getting a new/different session id for each page. It's easy to see
> that's
> > what happening since I use the sessionid for a log file name. Where I
> used
> > to get one log file when clicking through a series of pages, I now get a
> > bunch of logging files. This is a problem since I store data in the
> > session object between pages. And now the pages cannot find the data.
> This
> > is on TC 7.
> >
> > The only major thing I'm doing differently now that I can figure might
> > affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at
> > straws. I really don't see how mod_rewrite would be preventing session
> > data from passing through. Or could it?
> >
> > The way I understand it, it's simply a session key that's passed back and
> > forth as a cookie, right?
> >
>
> The session ID could also be embedded in the URL and perhaps mod_rewrite
> is dropping it. You could compare the access logs in httpd vs tomcat
> (enable them in tomcat if necessary).
>
>
> > Any ideas why I'm losing my sessions on each page?
> >
> > Thx
> >
> > Jerry
>
>
Re: Different session id per page
Posted by Tim Watts <ti...@cliftonfarm.org>.
On Sat, 2011-12-31 at 00:33 -0600, Jerry Malcolm wrote:
> I have a web app that's worked for years. I had to go in and do some
> renovations on it due to a few new requirements. Now for some reason, I'm
> getting a new/different session id for each page. It's easy to see that's
> what happening since I use the sessionid for a log file name. Where I used
> to get one log file when clicking through a series of pages, I now get a
> bunch of logging files. This is a problem since I store data in the
> session object between pages. And now the pages cannot find the data. This
> is on TC 7.
>
> The only major thing I'm doing differently now that I can figure might
> affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at
> straws. I really don't see how mod_rewrite would be preventing session
> data from passing through. Or could it?
>
> The way I understand it, it's simply a session key that's passed back and
> forth as a cookie, right?
>
The session ID could also be embedded in the URL and perhaps mod_rewrite
is dropping it. You could compare the access logs in httpd vs tomcat
(enable them in tomcat if necessary).
> Any ideas why I'm losing my sessions on each page?
>
> Thx
>
> Jerry