You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stefan Bethke <s....@tallence.com> on 2005/11/11 11:19:01 UTC
Why can the JSESSIONID name not be changed?
Hi,
I hope this is the right list to ask; if not, please direct me to a
better place...
We're currently integrating a couple of web sites under a single
domain. Some of the sites run on separate Tomcats, others use PHP,
Perl or a number of proprietary systems. We believe that having
multiple containers use the same session cookie will lead to problems.
So we assumed that we could just configure each container to use a
separate cookie. However, the specification points out in section
SRV.7.1.1SRV.7.1.1 that "[t]he name of the session tracking cookie
must be JSESSIONID."
I'd like to understand the rationale for this requirement. If the
container manages the session, why would an application care about
the actual mechanism used to track the session? Why can this not be
made configurable?
Thanks,
Stefan
--
Stefan Bethke <s....@tallence.com>
Tallence GmbH, Baumwall 3, D-20459 Hamburg, Germany
Mobile +49 170 3460140, Office +49 40 360935-0, Fax +49 40 360935-10
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why can the JSESSIONID name not be changed?
Posted by brycenesbitt <br...@obviously.com>.
Christopher Schultz-2 wrote:
>
> And why only in MSIE?
>
> Stefan also needs to understand that these cookies also have "paths"
> encoded into them, so that that do not interfere (as long as the paths
> themselves do not interfere).
>
> - -chris
>
MSIE processes the "paths" differently than Gecko based browsers.
MSIE returns the a less specifc session cookie first. All the other
browsers return the most specific cookie first.
Two webapps CAN interfere with each other, under MSIE:
See:
http://www.obviously.com/tech_tips/jsessionid_msie.html
--
View this message in context: http://www.nabble.com/Why-can-the-JSESSIONID-name-not-be-changed--tf532684.html#a7713586
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why can the JSESSIONID name not be changed?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bryce,
brycenesbitt wrote:
> Stefan Bethke wrote:
>> Hi,
>> We're currently integrating a couple of web sites under a single
>> domain. Some of the sites run on separate Tomcats, others use PHP,
>> Perl or a number of proprietary systems. We believe that having
>> multiple containers use the same session cookie will lead to problems.
>>
>
> It will cause problems, but only on IE, and then only under certain
> circumstances. The rest of the browsers seem fine...
Why would changing the name of a cookie cause problems? And why only in
MSIE?
Stefan also needs to understand that these cookies also have "paths"
encoded into them, so that that do not interfere (as long as the paths
themselves do not interfere).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFdZjt9CaO5/Lv0PARAuEpAKCOyVgM9lm7ABpSfWHVRLk9wbT+3wCdEO2f
UXC+K/KdVjZKyXakefJtzyM=
=65BW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why can the JSESSIONID name not be changed?
Posted by brycenesbitt <br...@obviously.com>.
Stefan Bethke wrote:
>
> Hi,
> I hope this is the right list to ask; if not, please direct me to a
> better place...
>
> We're currently integrating a couple of web sites under a single
> domain. Some of the sites run on separate Tomcats, others use PHP,
> Perl or a number of proprietary systems. We believe that having
> multiple containers use the same session cookie will lead to problems.
>
It will cause problems, but only on IE, and then only under certain
circumstances. The rest of the browsers seem fine...
--
View this message in context: http://www.nabble.com/Why-can-the-JSESSIONID-name-not-be-changed--tf532684.html#a7700835
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why can the JSESSIONID name not be changed?
Posted by Stefan Bethke <s....@tallence.com>.
Am 11.11.2005 um 21:14 schrieb George Sexton:
>> I'd like to understand the rationale for this requirement. If the
>> container manages the session, why would an application care about
>> the actual mechanism used to track the session? Why can this not be
>> made configurable?
> I'm guessing the reason its in the spec is so that hardware load
> balancers
> can map sessions back to the originating machine.
All load balanceres I've dealt with certainly can be configured to
use an arbitrary cookie/URL pattern to manage sticky sessions.
--
Stefan Bethke <s....@tallence.com>
Tallence GmbH, Baumwall 3, D-20459 Hamburg, Germany
Mobile +49 170 3460140, Office +49 40 360935-0, Fax +49 40 360935-10
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Why can the JSESSIONID name not be changed?
Posted by George Sexton <gs...@mhsoftware.com>.
I'm guessing the reason its in the spec is so that hardware load balancers
can map sessions back to the originating machine.
George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
> -----Original Message-----
> From: Stefan Bethke [mailto:s.bethke@tallence.com]
> Sent: Friday, November 11, 2005 3:19 AM
> To: users@tomcat.apache.org
> Subject: Why can the JSESSIONID name not be changed?
>
> Hi,
>
> I hope this is the right list to ask; if not, please direct me to a
> better place...
>
> We're currently integrating a couple of web sites under a single
> domain. Some of the sites run on separate Tomcats, others use PHP,
> Perl or a number of proprietary systems. We believe that having
> multiple containers use the same session cookie will lead to problems.
>
> So we assumed that we could just configure each container to use a
> separate cookie. However, the specification points out in section
> SRV.7.1.1SRV.7.1.1 that "[t]he name of the session tracking cookie
> must be JSESSIONID."
>
> I'd like to understand the rationale for this requirement. If the
> container manages the session, why would an application care about
> the actual mechanism used to track the session? Why can this not be
> made configurable?
>
>
> Thanks,
> Stefan
>
> --
> Stefan Bethke <s....@tallence.com>
> Tallence GmbH, Baumwall 3, D-20459 Hamburg, Germany
> Mobile +49 170 3460140, Office +49 40 360935-0, Fax +49 40 360935-10
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org