You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rory Kelly <ro...@fernsoftware.com> on 2015/02/03 12:04:56 UTC
RE: Session being dropped in Virtual Host in 8.0.9
Hi Chris,
Sorry for the late reply, I wound up working from home yesterday, and access
to the server was less than ideal
I'm just gonna dump the Headers from the login get, through to when it dumps
me back out at the login.
##Login
#request
POST /login HTTP/1.1redacted.site.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://redacted.site.io/login
Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
Connection: keep-alive
#response
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Connection: keep-alive
Content-Length: 0
Content-Type: text/html;charset=utf-8
Date: Tue, 03 Feb 2015 10:52:07 GMT
Location: http://redacted.site.io/login/challenge
Server: nginx/1.6.2 (Ubuntu)
Set-Cookie:
ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/;
expires=Tue, 03 Feb 2015 10:57:07 -0000; HttpOnly
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
#request
GET /login/challenge HTTP/1.1redacted.sitename.io
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
en-US,en;q=0.5
gzip, deflate
http://redacted.sitename.io/login
ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
keep-alive
#response
HTTP/1.1 200 OK
nginx/1.6.2 (Ubuntu)
Tue, 03 Feb 2015 10:47:37 GMT
text/html;charset=utf-8
chunked
keep-alive
no-cache, no-store, must-revalidate, max-age=0
1; mode=block
nosniff
SAMEORIGIN
ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/;
expires=Tue, 03 Feb 2015 10:52:37 -0000; HttpOnly
gzip
##Challenge
#request
POST /login/challenge HTTP/1.1redacted.site.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://redacted.site.io/login/challenge
Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
Connection: keep-alive
#response
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Connection: keep-alive
Content-Length: 0
Content-Type: text/html;charset=utf-8
Date: Tue, 03 Feb 2015 10:50:03 GMT
Location: http://redacted.site.io/statements
Server: nginx/1.6.2 (Ubuntu)
Set-Cookie:
ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/;
expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
#Request for /statements
#request
GET /statements HTTP/1.1redacted.site.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://redacted.site.io/login/challenge
Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
Connection: keep-alive
#response
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Connection: keep-alive
Content-Length: 0
Content-Type: text/html;charset=utf-8
Date: Tue, 03 Feb 2015 10:50:03 GMT
Location: http://redacted.site.io/login
Server: nginx/1.6.2 (Ubuntu)
Set-Cookie:
ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/;
expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
##Redirect
GET /login HTTP/1.1redacted.site.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://boyle.fern.io/login/challenge
Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
Connection: keep-alive
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Date: Tue, 03 Feb 2015 11:02:06 GMT
Server: nginx/1.6.2 (Ubuntu)
Set-Cookie:
ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3; path=/;
expires=Tue, 03 Feb 2015 11:07:06 -0000; HttpOnly
Transfer-Encoding: chunked
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
Kind Regards,
Rory
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 30 January 2015 17:18
To: Tomcat Users List
Subject: Re: Session being dropped in Virtual Host in 8.0.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rory,
On 1/30/15 11:01 AM, Rory Kelly wrote:
> I apologise in advance if the formatting is absolutely terrible.
Actually, it was totally readable ;)
>> Are you using cookies for session-tracking?
>
>> Can you watch the HTTP conversation to see what's being sent back and
>> forth during that workflow? LiveHttpHeaders is great for Firefox, and
>> these days Chrome, Firefox, and IE have something similar built-into
>> them.
>
>> From the looks of it, the cookie is storing the session ID.
> Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35 GMT
> Content-Type - text/html;charset=utf-8 Transfer-Encoding - chunked
> Connection - keep-alive Cache-Control - no-cache, no-store,
> must-revalidate, max-age=0 X-XSS-Protection - 1; mode=block
> x-content-type-options - nosniff x-frame-options - SAMEORIGIN
> Set-Cookie -
> ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a;
> path=/; expires=Fri, 30 Jan 2015 15:57:35 -0000; HttpOnly
> Content-Encoding - gzip Everything in the HTTP requests seem fine,
> except the response from my POST at the Challenge point, where,
> instead of a 200, I'm receiving a 302. This is what tipped me off that
> it was the session that was causing the issue.
This is only one response from the server, and it's not clear what the
request was. Can you post:
1. Request to protected resource (and response) 2. Request to login page
(and response) 3. Request which is the submission of the login form (and
response) ... and it sounds like here is where the session is lost 4. The
next request, which evidently has lost the session (and response)
>> field... or at least whatever your clients DNS will resolve to your
>> server. That may actually be "virtual1" but I just thought I'd
>> mention it. It shouldn't have any >bearing on the session-handling,
>> unless your web application switches hostnames by telling a client
>> requesting "virtual1" that it should redirect to >"testsitex.site.io"
>> or vice-versa.
>
> I went ahead and changed this as well, as it does seem like a good
> practice to use.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUy7ysAAoJEBzwKT+lPKRYvhIQAKyd2NgVsXPYh83RfvEGneW2
jKvc1BwRZMntweaFFX8mJ8jih+eLncTZlYo2OyqyUGYfiZS54us+yjUh11UmAVZx
Qpb9nGDL2YRnM5yTyyYxW2FRXzzwexIvIkGj9w/DoBbiNh8PMWhZxTKXX/X9xsqL
pPJrRxufz7bIzwLmfk3zxwwRXLtip5nhU+EHOOPn0rIs3w6kt7C87D/oLnLp/MOc
sfLTcNy/espidpAs2O4KNtrCYZ4Ou8+EoW+KKBYyAtlmd4kQgPG5tPfSR/2FM0Ji
mk+mfnJ3eoYcjeIapmLajvZ10zrNWSsrlmxdo0KTnxss9cnZ7C/lKmdy2HsS3bYF
Hm1i30GTtvZRLgEZjpinGRck+4QDZSuSLwNdirbex7oSzyxC88UviRvPjMq+bvcR
wfbFYuE6GplSKKmWWj3a4slcdEsXEguvtVPCHdSBmn5/lWxbTRmw68khKV8yhzbQ
hO5eQoErK0ZoijmwxNSjZRcxJMPpgPzN+JtH8Rq/4L19JAdEqJCvWOPU86/iqr1i
uebkQCDYYXyAtrTClcB8vJ5kiBHfcYuy11O8uPQvv097QFEMHXbimYTmgDlPBYDz
vtRHAdirjm7393Lp8ko9cn4yeFlsyVHJocbMWADWIB+1cpDfGfDPA0dFwqE2HU4b
IMuJLhaHW22aHIn5OIHu
=KoLf
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Session being dropped in Virtual Host in 8.0.9
Posted by Rory Kelly <ro...@fernsoftware.com>.
Hi Konstantin,
>1) Does the above Location header names the same web site? If you are
>redirected to a different site, the browser will use a different set of
>cookies for it (as you >Set-Cookie headers do not set domain for the
>cookie, and thus it is limited to a single site).
Yeah, it's all contained in a single site, on a single WAR, for now.
>> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
>> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
>2) Is "ib" you session cookie? Is it created by Tomcat (just with a
>different cookie name), or by something else?
"ib" is getting set by Rack. I've tried the same WAR on my Windows machine,
and it works fine. The only difference between the two instances is the
environment (Single Host Tomcat 8.0.9 on Windows from Apache's website vs. a
Virtual Host Tomcat 8.0.9 on Ubuntu installed through apt-get.
>(CVE-2013-2067)
>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33
Hmm, from this, I'm assuming my cookie should be changing for each POST
request. That doesn't seem to be happening on either environment. Could this
be my issue?
>> Referer: http://trythatagain.redacted.io/login/challenge
>5) Leaking a site name....
Bah. The copy-replace apparently ignores chunks of text. Wonderful.
(Should I be removing the original message from my replies, to avoid
cluttering?)
Kind Regards,
Rory
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: 03 February 2015 12:52
To: Tomcat Users List
Subject: Re: Session being dropped in Virtual Host in 8.0.9
2015-02-03 14:04 GMT+03:00 Rory Kelly <ro...@fernsoftware.com>:
> Hi Chris,
>
> Sorry for the late reply, I wound up working from home yesterday, and
> access to the server was less than ideal I'm just gonna dump the
> Headers from the login get, through to when it dumps me back out at
> the login.
>
> #response
> HTTP/1.1 302 Found
> Cache-Control: no-cache, no-store, must-revalidate, max-age=0
> Connection: keep-alive
> Content-Length: 0
> Content-Type: text/html;charset=utf-8
> Date: Tue, 03 Feb 2015 10:50:03 GMT
> Location: http://redacted.site.io/login
1) Does the above Location header names the same web site? If you are
redirected to a different site, the browser will use a different set of
cookies for it (as you Set-Cookie headers do not set domain for the cookie,
and thus it is limited to a single site).
> Server: nginx/1.6.2 (Ubuntu)
> Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
2) Is "ib" you session cookie? Is it created by Tomcat (just with a
different cookie name), or by something else?
3) Generally I would expect a cookie change when a FORM challenge is issued,
but the Set-Cookie header has the same cookie value as before. Thus my guess
of a different site name.
4) Is the time value correct? Is client's clock correct?
Comparing the Date header in the response and the cookie, it is valid for 5
minutes only.
If client's clock is wrong, it may expire the cookie earlier than in 5
minutes.
5) Leaking a site name....
> Cookie:
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
> Connection: keep-alive
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session being dropped in Virtual Host in 8.0.9
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-02-03 14:04 GMT+03:00 Rory Kelly <ro...@fernsoftware.com>:
> Hi Chris,
>
> Sorry for the late reply, I wound up working from home yesterday, and access
> to the server was less than ideal
> I'm just gonna dump the Headers from the login get, through to when it dumps
> me back out at the login.
>
> #response
> HTTP/1.1 302 Found
> Cache-Control: no-cache, no-store, must-revalidate, max-age=0
> Connection: keep-alive
> Content-Length: 0
> Content-Type: text/html;charset=utf-8
> Date: Tue, 03 Feb 2015 10:50:03 GMT
> Location: http://redacted.site.io/login
1) Does the above Location header names the same web site? If you are
redirected to a different site, the browser will use a different set
of cookies for it (as you Set-Cookie headers do not set domain for the
cookie, and thus it is limited to a single site).
> Server: nginx/1.6.2 (Ubuntu)
> Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/;
> expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
2) Is "ib" you session cookie? Is it created by Tomcat (just with a
different cookie name), or by something else?
3) Generally I would expect a cookie change when a FORM challenge is issued,
but the Set-Cookie header has the same cookie value as before. Thus my
guess of a different site name.
(CVE-2013-2067)
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33
4) Is the time value correct? Is client's clock correct?
Comparing the Date header in the response and the cookie, it is valid
for 5 minutes only.
If client's clock is wrong, it may expire the cookie earlier than in 5 minutes.
> X-XSS-Protection: 1; mode=block
> x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> ##Redirect
> GET /login HTTP/1.1redacted.site.io
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://boyle.fern.io/login/challenge
5) Leaking a site name....
> Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
> Connection: keep-alive
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session being dropped in Virtual Host in 8.0.9
Posted by Hassan Schroeder <ha...@gmail.com>.
Late to this party :-)
On Wed, Feb 4, 2015 at 2:03 AM, Rory Kelly <ro...@fernsoftware.com> wrote:
> Rack is a bundle of fun, since this application is a Jruby application,
> which is being converted into a Java application to run on Tomcat. That's a
> whole other can of worms :)
I've only run Rails apps out of Tomcat (as WAR files), not Sinatra/
Padrino, but --
1) Have you tried (non-WAR) using trinidad (embedded Tomcat)?
2) Can you make a simple example WAR available that duplicates
the issue?
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
http://about.me/hassanschroeder
twitter: @hassan
Consulting Availability : Silicon Valley or remote
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Session being dropped in Virtual Host in 8.0.9
Posted by Rory Kelly <ro...@fernsoftware.com>.
Hi Chris,
They all have a keep-alive, already.
>I don't see a single session id in any of those requests, other than
>the "ib" token you said is generated by "the rack" (a load-balancer?).
>Are you sure you have any session at all?
Yes, I have this working in a Windows environment, and it requires a session
as well.
Rack is a bundle of fun, since this application is a Jruby application,
which is being converted into a Java application to run on Tomcat. That's a
whole other can of worms :)
On another note, I'm currently trying to search and see if there's anywhere
that Tomcat writes to that might be causing a permissions error in the linux
environment. Finding info on this is proving to be a bit...difficult,
though.
Kind Regards,
Rory
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 03 February 2015 20:40
To: Tomcat Users List
Subject: Re: Session being dropped in Virtual Host in 8.0.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rory,
On 2/3/15 6:04 AM, Rory Kelly wrote:
> Sorry for the late reply, I wound up working from home yesterday, and
> access to the server was less than ideal I'm just gonna dump the
> Headers from the login get, through to when it dumps me back out at
> the login.
>
> ##Login
>
> #request POST /login HTTP/1.1redacted.site.io User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://redacted.site.io/login Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
Connection: keep-alive
>
> #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store,
> must-revalidate, max-age=0 Connection: keep-alive Content-Length:
> 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 10:52:07 GMT Location: http://redacted.site.io/login/challenge
> Server: nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:57:07 -0000; HttpOnly
> X-XSS-Protection: 1; mode=block x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> #request GET /login/challenge HTTP/1.1redacted.sitename.io
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> en-US,en;q=0.5 gzip, deflate http://redacted.sitename.io/login
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
keep-alive
>
> #response HTTP/1.1 200 OK nginx/1.6.2 (Ubuntu) Tue, 03 Feb 2015
> 10:47:37 GMT text/html;charset=utf-8 chunked keep-alive no-cache,
> no-store, must-revalidate, max-age=0 1; mode=block nosniff
> SAMEORIGIN
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:52:37 -0000; HttpOnly gzip
>
>
> ##Challenge
>
> #request POST /login/challenge HTTP/1.1redacted.site.io User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://redacted.site.io/login/challenge Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
Connection: keep-alive
>
> #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store,
> must-revalidate, max-age=0 Connection: keep-alive Content-Length:
> 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 10:50:03 GMT Location: http://redacted.site.io/statements Server:
> nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
> X-XSS-Protection: 1; mode=block x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> #Request for /statements #request GET /statements
> HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1;
> WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://redacted.site.io/login/challenge Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
Connection: keep-alive
>
> #response HTTP/1.1 302 Found Cache-Control: no-cache, no-store,
> must-revalidate, max-age=0 Connection: keep-alive Content-Length:
> 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 10:50:03 GMT Location: http://redacted.site.io/login Server:
> nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
> X-XSS-Protection: 1; mode=block x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> ##Redirect GET /login HTTP/1.1redacted.site.io User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://boyle.fern.io/login/challenge Cookie:
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
>
>
Connection: keep-alive
>
> HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate,
> max-age=0 Connection: keep-alive Content-Encoding: gzip
> Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 11:02:06 GMT Server: nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3;
> path=/; expires=Tue, 03 Feb 2015 11:07:06 -0000; HttpOnly
> Transfer-Encoding: chunked X-XSS-Protection: 1; mode=block
> x-content-type-options: nosniff x-frame-options: SAMEORIGIN
I don't see a single session id in any of those requests, other than
the "ib" token you said is generated by "the rack" (a load-balancer?).
Are you sure you have any session at all?
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session being dropped in Virtual Host in 8.0.9
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rory,
On 2/3/15 6:04 AM, Rory Kelly wrote:
> Sorry for the late reply, I wound up working from home yesterday,
> and access to the server was less than ideal I'm just gonna dump
> the Headers from the login get, through to when it dumps me back
> out at the login.
>
> ##Login
>
> #request POST /login HTTP/1.1redacted.site.io User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://redacted.site.io/login Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
Connection: keep-alive
>
> #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store,
> must-revalidate, max-age=0 Connection: keep-alive Content-Length:
> 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 10:52:07 GMT Location: http://redacted.site.io/login/challenge
> Server: nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:57:07 -0000; HttpOnly
> X-XSS-Protection: 1; mode=block x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> #request GET /login/challenge HTTP/1.1redacted.sitename.io
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> en-US,en;q=0.5 gzip, deflate http://redacted.sitename.io/login
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
keep-alive
>
> #response HTTP/1.1 200 OK nginx/1.6.2 (Ubuntu) Tue, 03 Feb 2015
> 10:47:37 GMT text/html;charset=utf-8 chunked keep-alive no-cache,
> no-store, must-revalidate, max-age=0 1; mode=block nosniff
> SAMEORIGIN
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:52:37 -0000; HttpOnly gzip
>
>
> ##Challenge
>
> #request POST /login/challenge HTTP/1.1redacted.site.io User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://redacted.site.io/login/challenge Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
Connection: keep-alive
>
> #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store,
> must-revalidate, max-age=0 Connection: keep-alive Content-Length:
> 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 10:50:03 GMT Location: http://redacted.site.io/statements Server:
> nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
> X-XSS-Protection: 1; mode=block x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> #Request for /statements #request GET /statements
> HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1;
> WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://redacted.site.io/login/challenge Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836
>
>
Connection: keep-alive
>
> #response HTTP/1.1 302 Found Cache-Control: no-cache, no-store,
> must-revalidate, max-age=0 Connection: keep-alive Content-Length:
> 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 10:50:03 GMT Location: http://redacted.site.io/login Server:
> nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly
> X-XSS-Protection: 1; mode=block x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> ##Redirect GET /login HTTP/1.1redacted.site.io User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
> Referer: http://boyle.fern.io/login/challenge Cookie:
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
>
>
Connection: keep-alive
>
> HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate,
> max-age=0 Connection: keep-alive Content-Encoding: gzip
> Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015
> 11:02:06 GMT Server: nginx/1.6.2 (Ubuntu) Set-Cookie:
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3;
> path=/; expires=Tue, 03 Feb 2015 11:07:06 -0000; HttpOnly
> Transfer-Encoding: chunked X-XSS-Protection: 1; mode=block
> x-content-type-options: nosniff x-frame-options: SAMEORIGIN
I don't see a single session id in any of those requests, other than
the "ib" token you said is generated by "the rack" (a load-balancer?).
Are you sure you have any session at all?
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 30 January 2015 17:18
> To: Tomcat Users List Subject: Re: Session being dropped in Virtual
> Host in 8.0.9
>
> Rory,
>
> On 1/30/15 11:01 AM, Rory Kelly wrote:
>> I apologise in advance if the formatting is absolutely terrible.
>
> Actually, it was totally readable ;)
>
>>> Are you using cookies for session-tracking?
>
>>> Can you watch the HTTP conversation to see what's being sent
>>> back and forth during that workflow? LiveHttpHeaders is great
>>> for Firefox, and these days Chrome, Firefox, and IE have
>>> something similar built-into them.
>
>>> From the looks of it, the cookie is storing the session ID.
>> Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35
>> GMT Content-Type - text/html;charset=utf-8 Transfer-Encoding -
>> chunked Connection - keep-alive Cache-Control - no-cache,
>> no-store, must-revalidate, max-age=0 X-XSS-Protection - 1;
>> mode=block x-content-type-options - nosniff x-frame-options -
>> SAMEORIGIN Set-Cookie -
>> ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a;
>>
>>
path=/; expires=Fri, 30 Jan 2015 15:57:35 -0000; HttpOnly
>> Content-Encoding - gzip Everything in the HTTP requests seem
>> fine, except the response from my POST at the Challenge point,
>> where, instead of a 200, I'm receiving a 302. This is what tipped
>> me off that it was the session that was causing the issue.
>
> This is only one response from the server, and it's not clear what
> the request was. Can you post:
>
> 1. Request to protected resource (and response) 2. Request to login
> page (and response) 3. Request which is the submission of the login
> form (and response) ... and it sounds like here is where the
> session is lost 4. The next request, which evidently has lost the
> session (and response)
>
>>> field... or at least whatever your clients DNS will resolve to
>>> your server. That may actually be "virtual1" but I just thought
>>> I'd mention it. It shouldn't have any >bearing on the
>>> session-handling, unless your web application switches
>>> hostnames by telling a client requesting "virtual1" that it
>>> should redirect to >"testsitex.site.io" or vice-versa.
>
>> I went ahead and changed this as well, as it does seem like a
>> good practice to use.
>
> -chris
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU0TIaAAoJEBzwKT+lPKRYq2UQAJ+wVdwYnoDQTYNEe71M+0/5
u9w9pnJioaUlXOitdv9OF31a7chJzAyZ90iWd1R1y3yGd9lkgsUfyNeZqxF2QoBO
JMv/kXlN4anGEy88UXOPDqjlu54D3d2s+qp+Q9pH9tB6TgkMwmtU4nosiZ3m4BoJ
r+t055/bQrU1Ou+cAeevfYZcjSO8MzYhbdetwd8wXj7rQFrev/mYKgjzO0MsHW7j
eZ8oOcsRX/NjaUBtwrUTtr/h8qB91veO79z+ZgMtzV8gr9nB/rEM+fevFxZsu6Zs
5LOVdYq3iM7RvazSA0CPmIGDvF44c5LnCAKmxS1RXmizgV6j0xUqLZZaM9/+DOvn
bUVr2+/ASClD8Hd6ep4Ra6LwJBi1rik2fNsmwgu3Cz3zpTR37NvEYuDEMkyTsAgk
qiJKDwQ67iRJ5U8NvpTPrbNxwzJMsfJbpgeuZPQmg6wEpiIZyHSwOrKH3WRdC1aJ
wrBouIeVCvg4uTuu5KOq3GXKZ1B3ZTt7hsZXW1wXnK1UH21i1vz5rxXujjLqFr5d
xXRbzrEdFltw7NeW6yWvLTwV3ht5Wp/i/LMdLGzH48V+bs3AqoLOqGexaUmJh2TZ
rBGsaN88hAkb3Imq573Zn9aFqziSykvg7QqjJsd+5cO9ztUTYCYiEWl27o+Dq9kn
NF2OXRX75t35UiAUwQP+
=wvkr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org