You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by gautam <ga...@applabs.net> on 2002/10/03 14:40:26 UTC

JSession ID in address bar

Hello,

I am using form based authentication for my application (Tomcat 4.0.5, JDK
1.4, Win2K). I have tomcat configured to use SSL. Everything work fine.
However, I keep getting the jsessionid value in the address bar. This
happens for the first page only. Does not appear for subsequent pages
(regardless of authetication result). I am using IE 6.0.

https://localhost:8553/mywebapp/logon.jsp;jsessionid=E752F79F89D3423A1BEBB4D
4F2802D60

I am accessing the web app by : https://localhost:8553/mywebapp/

Web XML snippet :
------------------
<welcome-file-list><welcome-file>/jsp/index.jsp</welcome-file></welcome-file
-list>

<security-constraint>
	<web-resource-collection>
		<web-resource-name>Secure Area</web-resource-name>
		<url-pattern>*.jsp</url-pattern>
		<url-pattern>*.ma</url-pattern>
	</web-resource-collection>
	<auth-constraint><role-name>*</role-name></auth-constraint>

<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee
></user-data-constraint>
</security-constraint>

<login-config>
	<auth-method>FORM</auth-method>
	<form-login-config>
		<form-login-page>/logon.jsp</form-login-page>
		<form-error-page>/fail_logon.jsp</form-error-page>
	</form-login-config>
</login-config>

<security-role><role-name>*</role-name></security-role>

Logon.jsp snippet :
------------------
<form method="POST" action='<%= response.encodeURL("j_security_check") %>'>

<table border="1" cellspacing="0" width="250" cellpadding="0"
bgcolor="#FFF8DC"><tr><td colspan="2">&nbsp;</td></tr>
<tr><td width="50%" valign="middle" align="right"><font
color="#000000"><b>User Id:</b></font>&nbsp;</td><td width="50%"
valign="middle" align="center"><p>&nbsp;

<input type="text" name="j_username" size="16" maxlength="16">

</p></td></tr><tr><td width="50%" valign="middle" align="right"><b><font
color="#000000">Password:</font></b> </td><td width="50%" valign="middle"
align="center">&nbsp;

<input type="password" name="j_password" size="16" maxlength="16">

</td></tr><tr><td width="50%" valign="middle" align="right">&nbsp;</td><td
width="50%" valign="middle" align="center">

<input type=submit name="logon_submit" value="Login"/>

</td></tr></table>

</form>

fail_logon.jsp snippet :
---------------------
<table width="100%">
  <tr><td align="left">Unable to login. <a href='<%=
response.encodeURL("logon.jsp") %>'>Please try again.</a></td></tr>
</table>

My index.jsp page just has normal HREFs in it. No Java code.

What is happening ? How do I correct this ?

Regards,

Gautam S


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: JSession ID in address bar

Posted by gautam <ga...@applabs.net>.

Thanks a ton ! It works.

Regards,

Gautam S

-----Original Message-----
From: news [mailto:news@main.gmane.org]On Behalf Of Bill Barker
Sent: Friday, October 04, 2002 11:15 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: JSession ID in address bar


Assuming that you are using "best practices", the jsessionid can't be
snooped on an SSL connection.  However, on the first access to the protected
page, Tomcat has no idea if your browser supports Cookies or not.  The only
safe access after authentication is to do URLEncoding.  To remove this, you
need to provide a welcome servlet to your web-app that isn't password
protected, and that requests a session.  After this, Tomcat will get it's
Cookie and be happy.

"gautam" <ga...@applabs.net> wrote in message
news:PHEMKIMGNLACMNIEKEKIAECBCDAA.gautam@applabs.net...
> Hello,
>
> I am using form based authentication for my application (Tomcat 4.0.5, JDK
> 1.4, Win2K). I have tomcat configured to use SSL. Everything work fine.
> However, I keep getting the jsessionid value in the address bar. This
> happens for the first page only. Does not appear for subsequent pages
> (regardless of authetication result). I am using IE 6.0.
>
>
https://localhost:8553/mywebapp/logon.jsp;jsessionid=E752F79F89D3423A1BEBB4D
> 4F2802D60
>
> I am accessing the web app by : https://localhost:8553/mywebapp/
>
> Web XML snippet :
> ------------------
>
<welcome-file-list><welcome-file>/jsp/index.jsp</welcome-file></welcome-file
> -list>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Area</web-resource-name>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.ma</url-pattern>
> </web-resource-collection>
> <auth-constraint><role-name>*</role-name></auth-constraint>
>
>
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee
> ></user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/logon.jsp</form-login-page>
> <form-error-page>/fail_logon.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role><role-name>*</role-name></security-role>
>
> Logon.jsp snippet :
> ------------------
> <form method="POST" action='<%= response.encodeURL("j_security_check")
%>'>
>
> <table border="1" cellspacing="0" width="250" cellpadding="0"
> bgcolor="#FFF8DC"><tr><td colspan="2">&nbsp;</td></tr>
> <tr><td width="50%" valign="middle" align="right"><font
> color="#000000"><b>User Id:</b></font>&nbsp;</td><td width="50%"
> valign="middle" align="center"><p>&nbsp;
>
> <input type="text" name="j_username" size="16" maxlength="16">
>
> </p></td></tr><tr><td width="50%" valign="middle" align="right"><b><font
> color="#000000">Password:</font></b> </td><td width="50%" valign="middle"
> align="center">&nbsp;
>
> <input type="password" name="j_password" size="16" maxlength="16">
>
> </td></tr><tr><td width="50%" valign="middle" align="right">&nbsp;</td><td
> width="50%" valign="middle" align="center">
>
> <input type=submit name="logon_submit" value="Login"/>
>
> </td></tr></table>
>
> </form>
>
> fail_logon.jsp snippet :
> ---------------------
> <table width="100%">
>   <tr><td align="left">Unable to login. <a href='<%=
> response.encodeURL("logon.jsp") %>'>Please try again.</a></td></tr>
> </table>
>
> My index.jsp page just has normal HREFs in it. No Java code.
>
> What is happening ? How do I correct this ?
>
> Regards,
>
> Gautam S





--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: JSession ID in address bar

Posted by Bill Barker <re...@verizon.net>.

Assuming that you are using "best practices", the jsessionid can't be
snooped on an SSL connection.  However, on the first access to the protected
page, Tomcat has no idea if your browser supports Cookies or not.  The only
safe access after authentication is to do URLEncoding.  To remove this, you
need to provide a welcome servlet to your web-app that isn't password
protected, and that requests a session.  After this, Tomcat will get it's
Cookie and be happy.

"gautam" <ga...@applabs.net> wrote in message
news:PHEMKIMGNLACMNIEKEKIAECBCDAA.gautam@applabs.net...
> Hello,
>
> I am using form based authentication for my application (Tomcat 4.0.5, JDK
> 1.4, Win2K). I have tomcat configured to use SSL. Everything work fine.
> However, I keep getting the jsessionid value in the address bar. This
> happens for the first page only. Does not appear for subsequent pages
> (regardless of authetication result). I am using IE 6.0.
>
>
https://localhost:8553/mywebapp/logon.jsp;jsessionid=E752F79F89D3423A1BEBB4D
> 4F2802D60
>
> I am accessing the web app by : https://localhost:8553/mywebapp/
>
> Web XML snippet :
> ------------------
>
<welcome-file-list><welcome-file>/jsp/index.jsp</welcome-file></welcome-file
> -list>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Area</web-resource-name>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.ma</url-pattern>
> </web-resource-collection>
> <auth-constraint><role-name>*</role-name></auth-constraint>
>
>
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee
> ></user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/logon.jsp</form-login-page>
> <form-error-page>/fail_logon.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role><role-name>*</role-name></security-role>
>
> Logon.jsp snippet :
> ------------------
> <form method="POST" action='<%= response.encodeURL("j_security_check")
%>'>
>
> <table border="1" cellspacing="0" width="250" cellpadding="0"
> bgcolor="#FFF8DC"><tr><td colspan="2">&nbsp;</td></tr>
> <tr><td width="50%" valign="middle" align="right"><font
> color="#000000"><b>User Id:</b></font>&nbsp;</td><td width="50%"
> valign="middle" align="center"><p>&nbsp;
>
> <input type="text" name="j_username" size="16" maxlength="16">
>
> </p></td></tr><tr><td width="50%" valign="middle" align="right"><b><font
> color="#000000">Password:</font></b> </td><td width="50%" valign="middle"
> align="center">&nbsp;
>
> <input type="password" name="j_password" size="16" maxlength="16">
>
> </td></tr><tr><td width="50%" valign="middle" align="right">&nbsp;</td><td
> width="50%" valign="middle" align="center">
>
> <input type=submit name="logon_submit" value="Login"/>
>
> </td></tr></table>
>
> </form>
>
> fail_logon.jsp snippet :
> ---------------------
> <table width="100%">
>   <tr><td align="left">Unable to login. <a href='<%=
> response.encodeURL("logon.jsp") %>'>Please try again.</a></td></tr>
> </table>
>
> My index.jsp page just has normal HREFs in it. No Java code.
>
> What is happening ? How do I correct this ?
>
> Regards,
>
> Gautam S





--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>