You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Hans Schmid <Ha...@einsurance.de> on 2001/10/12 11:11:50 UTC
SOLVED was [Tomcat 3.3rc1 and HEAD] Same SessionID delivered to manyclients during session creation ?
Hi everybody,
I was sitting together with our framework guru and we finally found the
problem on our end. We had a Link object that did the URLEncoding which
was re-used in the case described.
I am very sorry to have caused so much confusion but it really looked
serious
and I wanted this to be clarified before Tomcat 3.3 goes final.
So please go ahead with releasing RC2.
Many thanks for all of your debugging hints which lead us to find our bug.
Keep up the excelent work,
Regards,
Hans
> -----Ursprüngliche Nachricht-----
> Von: costinm@covalent.net [mailto:costinm@covalent.net]
> Gesendet: Donnerstag, 11. Oktober 2001 22:10
> An: Hans Schmid
> Cc: Tomcat-Dev
> Betreff: Re: [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to
> manyclients during session creation ?
>
>
> On Thu, 11 Oct 2001, Hans Schmid wrote:
>
> > Costin,
> >
> > (I'm not subscribed here at work so I have to use an archive)
> >
> >
> > I am experiance this on Windows2000 SP2 (locally) as well as on
> Solaris 8
> > Here more details:
> >
> > Thanks for the tip with the debugging set in SessionIdGenerator:
> >
> > Starting Tomcat and requesting 2 Sessions from 2 Browsers as described
>
> Hi Hans,
>
> Is there any caching involved in your servlet ? Can you reproduce the same
> thing with a 'plain' servlet/jsp page that you can send ?
>
> Also, in the jsp, can you do a System.out.println() with the session id (
> and maybe the Session object ) ?
>
> This sounds very strange - it's important to figure out where is the
> first session id stored and why.
>
> Costin
>
>
> > before:
> >
> > 2001-10-11 19:21:57 - Http10Interceptor: Starting on 8080
> > 2001-10-11 19:21:57 - Ajp12Interceptor: Starting on 8007
> > EmbededTomcat: Startup time 60
> > 2001-10-11 19:21:57 - Ajp13Interceptor: Starting on 8009
> > 2001-10-11 19:22:03 - SessionIdGenerator: Created random class
> > java.util.Random
> > 2001-10-11 19:22:03 - SessionIdGenerator: Generate new session
> id hmwxl5ysd1
> > 2001-10-11 19:22:07 - SessionIdGenerator: Generate new session
> id slfjsuysf1
> >
> >
> > So We really get 2 different SessionIds!
> >
> > But when I do a 'View Source' on my delivered page (2 times the
> same entry
> > point)
> > I see the following:
> >
> > First browser (first request I would expect hmwxl5ysd1, the
> first generated
> > sessionid )
> >
> >
> > <form name="form1" method="post"
> > action="/einsurance/doShowStartPage.do;jsessionid=hmwxl5ysd1">
> >
> > ^^^^^^^^^^
> > <table border="0" cellpadding="0" cellspacing="0"
> width="100%">
> > <tbody>
> > <tr>
> >
> > Superb, correct, but:
> > Second browser (second request sent before first Browser
> delivered the page:
> >
> > <form name="form1" method="post"
> > action="/einsurance/doShowStartPage.do;jsessionid=hmwxl5ysd1">
> >
> > ^^^^^^^^^^
> > <table border="0" cellpadding="0" cellspacing="0"
> width="100%">
> > <tbody>
> > <tr>
> >
> > And here we have again the first generated sessionid instead
> the second one
> > 'slfjsuysf1'!
> >
> > So it seems the SessionIds get generated correctly, but the
> first one gets
> > delivered to all output.
> > Just doublechecked wit 3 Browserd 2 IE5.5 and 1 Mozilla 0.9.5.
> Same result:
> > 2001-10-11 19:38:00 - Http10Interceptor: Starting on 8080
> > 2001-10-11 19:38:00 - Ajp12Interceptor: Starting on 8007
> > EmbededTomcat: Startup time 80
> > 2001-10-11 19:38:00 - Ajp13Interceptor: Starting on 8009
> > 2001-10-11 19:38:05 - SessionIdGenerator: Created random class
> > java.util.Random
> > 2001-10-11 19:38:05 - SessionIdGenerator: Generate new session
> id nah9m4z5q1
> > 2001-10-11 19:38:11 - SessionIdGenerator: Generate new session
> id ky0rmjz5t1
> > 2001-10-11 19:38:15 - SessionIdGenerator: Generate new session
> id 351cc3z5v1
> >
> >
> > All three start pages show
> > <form name="form1" method="post"
> > action="/einsurance/doShowStartPage.do;jsessionid=nah9m4z5q1">
> >
> > always the first generated SessionId.
> >
> >
> > Thanks for looking into this. this is a major thing, I guess
> >
> > Best regards,
> > Hans Schmid
> >
> > einsurance Agency AG
> > Information Technology
> > Bayerstraße 33
> > 80335 München
> >
> > Tel: +49-89-55292- 860
> > Fax: +49-89-55292- 855
> >
> > eMail: Hans.Schmid@einsurance.de
> > http://www.einsurance.de
> >
> >
> >
> > Hi Hans,
> >
> > Could you turn on the debugging on SessionIdGenerator ? Are you using
> > Linux or Solaris ?
> >
> > You should see "Generate new sessionid" for each request - and
> all session
> > ids to be different. The random generator uses time and ( if available )
> > /dev/random - I can't see how it would have the same id.
> >
> > Costin
> >
> > On Thu, 11 Oct 2001, Hans Schmid wrote:
> >
> > > Hi developers,
> > >
> > > 1.) First a note about an unanswered observation from the mailing list
> > > archive:
> > > we are experiencing exactly the same behaviour with Tomcat 3.3-rc1
> > > with mod_jk AJP1.3 Apache 1.3.19(Solaris 8 Sparc) when using SSL as
> > > described below.
> > > Thats why we had to changed to <SessionId cookiesFirst="true"
> > > noCookies="false" />
> > >
> > > 2.)
> > > What we see using <SessionId cookiesFirst="false" noCookies="true" />
> > > seems to result sometimes in weird behavior in a different
> area as well:
> > >
> > > Beeing in one Browser and entering data may cause this data to be
> > > displayed on a different Browser on a different machine. (Same
> > Application!)
> > > We can not reproduce this every time but it happens way too often.
> > > This is very critical.
> > >
> > > 3.)
> > > How to reproduce this (may be):
> > >
> > > We see the same sessionid appended to both URLs.
> > > This can be best reproduced by opening 2 Browsers, starting Tomcat and
> > > starting our Webapp in every Browser shortly after the other.
> > > (We are using Toplink which reads a huge XMLDescriptor file
> the first time
> > > it gets invoked. So we have the chance to start the request
> in the second
> > > Browser before the first page gets delivered)
> > >
> > > As long as you start the request in the second Browser before
> the request
> > > in the first Browser was finished (page delivered) you get the same
> > > jsessionid
> > > in the URL or the delivered page
> > >
> > > <form name="form1" method="post"
> > > action="/einsurance/doShowStartPage.do;jsessionid=clkam0vi31">
> > >
> > >
> > >
> > > Using curl tool on solaris we see the following:
> > >
> > > root@zeus[/u/www/INT/einsurance/logs]% curl --help
> > > curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
> > > Usage: curl [options...] <url>
> > > Options: (H) means HTTP/HTTPS only, (F) means FTP only
> > > ...
> > >
> > > for i in 1 2 3 4 5 6 7 8 9 10 ; do for j in 1 2 3 4 5 6 7 8 9 10 ; do
> > > curl -s
> 'http://myserver:8080/einsurance/doEntry.do?pid=ph&b2bid=1&cpid=1'
> > |
> > > grep jsessionid & done; done > curl.out
> > >
> > >
> > > I would expect a new sessionid delivered for every curl
> process requesting
> > > our entry page, but see the result:
> > > The same sessionid gets delivered many times see the lines
> marked with
> > > <-----
> >
>
>