You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jonathan Kushner <JK...@npr.org> on 2008/11/24 19:33:23 UTC
Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Tomcat Users:
I'm working with a current session identity issue between separate browser instances, and have decided that the most plausible solution is to reconfigure tomcat to auto-append the JSESSION ID at the end of each URL. The only problem is, our system administrator cannot seem to dig up this information over the internet. I have not dug deep into the issue, but I trust his judgment, and thought I would send a note to the subscription line to see if anyone is familiar with the server.xml configuration change that needs to occur to enable this feature.
I appreciate the assistance and apologize for any inconvenience.
Regards,
Jonathan
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Jonathan Kushner [mailto:JKushner@npr.org]
> Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
>
> I'm currently working on a Seamus Issue which disallows the
> user from operating on separate session namespaces within the
> same browser instance. For example, when a user instantiates
> a new tab and loads a separate story, the second story will
> overwrite the first since we have no measure to separate
> these separate tabular "sessions".
Sounds like you really need to be tracking the information via something other than a Session. Playing with JSESSIONID is a stop-gap at best, and likely not a full solution. Perhaps you can use some token embedded in each tab or web page as a key to a HashTable that tracks the information you need.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Posted by Jonathan Kushner <JK...@npr.org>.
Ok, I was wrong. I am reading up on it now and it apparently only disables the session cookie, which might be what I'm seeking. Thanks for the help.
- Jonathan
-----Original Message-----
From: Jonathan Kushner [mailto:JKushner@npr.org]
Sent: Monday, November 24, 2008 2:44 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Sorry - forgot to mention. We are using cookies in various places to track different actions, so disabling cookies cannot be taken into account. Thanks for the technique though.
-----Original Message-----
From: Jonathan Kushner [mailto:JKushner@npr.org]
Sent: Monday, November 24, 2008 2:40 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
I will forward your response about upgrading tomcat to the appropriate team, however we are only using tomcat internally so I do not believe it's a major concern. In regards to the current issue, I'm at lost on the appropriate measures to take. Here's my original email which was sent to the system administrator. Maybe you can take a gander at it and help me understand a better approach to take without modifying the codebase:
--- START ---
I'm currently working on a Seamus Issue which disallows the user from operating on separate session namespaces within the same browser instance. For example, when a user instantiates a new tab and loads a separate story, the second story will overwrite the first since we have no measure to separate these separate tabular "sessions". This effect (untested on my end) should cascade from the original parent to the last child instance, being that each load will just overwrite the current data container. There are a couple different methods to handle this; however the easiest approach would be to modify the tomcat configuration to append the JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace for each distinct tab-load, and essentially delegate out the data to each specific session namespace. The downside to this is that because it's a full system change, it will most likely require a full regression test.
We are seeking alternate approaches within the code-base, however if this approach seems manageable, it seems to be the most feasible method. What are your feelings on this?
--- END ---
Thanks for the help.
- Jonathan
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, November 24, 2008 2:14 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
> From: Jonathan Kushner [mailto:JKushner@npr.org]
> Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago.
> I'm working with a current session identity issue between
> separate browser instances, and have decided that the most
> plausible solution is to reconfigure tomcat to auto-append
> the JSESSION ID at the end of each URL.
You will at least need to disable cookies:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes
Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique:
http://marc.info/?l=tomcat-user&m=117583468505179&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Posted by Jonathan Kushner <JK...@npr.org>.
Sorry - forgot to mention. We are using cookies in various places to track different actions, so disabling cookies cannot be taken into account. Thanks for the technique though.
-----Original Message-----
From: Jonathan Kushner [mailto:JKushner@npr.org]
Sent: Monday, November 24, 2008 2:40 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
I will forward your response about upgrading tomcat to the appropriate team, however we are only using tomcat internally so I do not believe it's a major concern. In regards to the current issue, I'm at lost on the appropriate measures to take. Here's my original email which was sent to the system administrator. Maybe you can take a gander at it and help me understand a better approach to take without modifying the codebase:
--- START ---
I'm currently working on a Seamus Issue which disallows the user from operating on separate session namespaces within the same browser instance. For example, when a user instantiates a new tab and loads a separate story, the second story will overwrite the first since we have no measure to separate these separate tabular "sessions". This effect (untested on my end) should cascade from the original parent to the last child instance, being that each load will just overwrite the current data container. There are a couple different methods to handle this; however the easiest approach would be to modify the tomcat configuration to append the JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace for each distinct tab-load, and essentially delegate out the data to each specific session namespace. The downside to this is that because it's a full system change, it will most likely require a full regression test.
We are seeking alternate approaches within the code-base, however if this approach seems manageable, it seems to be the most feasible method. What are your feelings on this?
--- END ---
Thanks for the help.
- Jonathan
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, November 24, 2008 2:14 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
> From: Jonathan Kushner [mailto:JKushner@npr.org]
> Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago.
> I'm working with a current session identity issue between
> separate browser instances, and have decided that the most
> plausible solution is to reconfigure tomcat to auto-append
> the JSESSION ID at the end of each URL.
You will at least need to disable cookies:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes
Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique:
http://marc.info/?l=tomcat-user&m=117583468505179&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Posted by Jonathan Kushner <JK...@npr.org>.
I will forward your response about upgrading tomcat to the appropriate team, however we are only using tomcat internally so I do not believe it's a major concern. In regards to the current issue, I'm at lost on the appropriate measures to take. Here's my original email which was sent to the system administrator. Maybe you can take a gander at it and help me understand a better approach to take without modifying the codebase:
--- START ---
I'm currently working on a Seamus Issue which disallows the user from operating on separate session namespaces within the same browser instance. For example, when a user instantiates a new tab and loads a separate story, the second story will overwrite the first since we have no measure to separate these separate tabular "sessions". This effect (untested on my end) should cascade from the original parent to the last child instance, being that each load will just overwrite the current data container. There are a couple different methods to handle this; however the easiest approach would be to modify the tomcat configuration to append the JSESSION Cookie Id to the URL String. By doing this, we could then create a separate namespace for each distinct tab-load, and essentially delegate out the data to each specific session namespace. The downside to this is that because it's a full system change, it will most likely require a full regression test.
We are seeking alternate approaches within the code-base, however if this approach seems manageable, it seems to be the most feasible method. What are your feelings on this?
--- END ---
Thanks for the help.
- Jonathan
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, November 24, 2008 2:14 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
> From: Jonathan Kushner [mailto:JKushner@npr.org]
> Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago.
> I'm working with a current session identity issue between
> separate browser instances, and have decided that the most
> plausible solution is to reconfigure tomcat to auto-append
> the JSESSION ID at the end of each URL.
You will at least need to disable cookies:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes
Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique:
http://marc.info/?l=tomcat-user&m=117583468505179&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Jonathan Kushner [mailto:JKushner@npr.org]
> Subject: Tomcat 5.5.2 Configurations for JSESSION ID Cookie Append
If you're really running on 5.5.2, you need to move up - ASAP. Lots and lots of fixes, including security-related ones, have gone in since that version was released over four years ago.
> I'm working with a current session identity issue between
> separate browser instances, and have decided that the most
> plausible solution is to reconfigure tomcat to auto-append
> the JSESSION ID at the end of each URL.
You will at least need to disable cookies:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html%20Attributes
Beyond that, I'm not aware of any automatic way of appending JSESSIONID; your webapp has to participate. Look at this message for one such technique:
http://marc.info/?l=tomcat-user&m=117583468505179&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org