You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Lane <Ma...@XIAM.com> on 2001/03/21 16:45:00 UTC

Tomcat - Ghost/Rogue Sessions

Here's the scenario ...

We have a JSP/Servlet application - The JSPs post requests to the Servlets,
the Servlets do some work and then forward the requests back to the JSPs. We
are also using session tracking.

We are using MS IIS 4.0 & Jakarta Tomcat 3.2.1 (Release Build).


EG ...

Login.jsp
- Displays a user login screen
- Posts the request to LoginServlet


LoginServlet
- Handles the post request (Logs the user in or returns an error)
- Initiates a new session
HttpSession httpSession = req.getSession( true );

- Forwards the requests to Login.jsp
rd = this.getServletContext().getRequestDispatcher("/WMLLogin.jsp");
rd.forward( req, res );


Login.jsp
- Checks for a valid session
HttpSession httpSession = request.getSession(false);

if (httpSession != null)
{
	String sessionID = httpSession.getId();
	...
	...
	...
}

- Displays a menu or an error (Login error or session error)


However, in some cases the JSP sees a different session than the one created
by the Servlet - Printing the Session ID in the JSP & Servlet shows this
quite clearly ...

The very next attempt works fine - The JSP & Servlet both see/use the same
session and the login attempt is successful. The interesting thing here is
that the Session ID used is the same as what the JSP thought the Session ID
was in the previous attempt ... ???

Is this a bug ? If not then what's wrong ???


Regards,


Mark Lane


Mark Lane
Software Engineer
XIAM Limited - The Information Router Company
Alexandra House, Ballsbridge Park, Dublin 4, Ireland
DDI    : +353 1 6642474
Switch : +353 1 6642400
Fax    : +353 1 6642499
Mobile : +353 87 6182279
E-Mail : mailto:Mark.Lane@XIAM.com
Web    : http://www.xiam.com/

Meet XIAM at the CeBIT Exhibition in Hannover on March 22-28. You will find
us in Hall 4, Stand A62.

The information transmitted in this e-mail is intended for the addressee
only and may contain confidential and/or privileged material.  Any review, 
re-transmission, dissemination, reliance upon or other use of this
information by persons or entities other than the addressee is prohibited.
If you think, for any reason, that this message may have been addressed to
you in error, we would ask you to notify the sender immediately by return
e-mail and delete the material.