You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Horia Muntean <ho...@bvb.ro> on 2002/03/12 14:34:17 UTC
Http Session over SSL
Hello to all.
I have a problem with session tracking when I use secure connections:
This is the scenario:
On the server side, I have Slackware 8.0, with tomcat-4.0.3, apache 1.3.20 and a simple servlet witch does only one thing:
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
HttpSession session = request.getSession();
if(session.isNew()) log("this is a new session:"+session.getId());
ObjectInputStream in = new ObjectInputStream(request.getInputStream());
ObjectOutputStream out = new ObjectOutputStream(response.getOutputStream());
Object message = null;
try {
message = in.readObject();
out.writeObject(message);
out.flush();
} catch (Exception e) {
e.printStackTrace();
}finally{
in.close();
out.close();
}
}
On the client side, i use HttpConnection in order to connect to this servlet:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
String target = "http://myserver/access/AccessServlet";
HttpURLConnection conn = (HttpURLConnection)new URL(target).openConnection();
if(sessionId != null) {
conn.setRequestProperty("Cookie", sessionId);
}
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setUseCaches(false);
ObjectOutputStream out = new ObjectOutputStream(conn.getOutputStream());
out.writeObject(null);
out.flush();
out.close();
String cookie = conn.getHeaderField("Set-cookie");
if (cookie != null) {
int semicolon = cookie.indexOf(';');
sessionId = cookie.substring(0, semicolon);
}
ObjectInputStream in = new ObjectInputStream(conn.getInputStream());
Object response = in.readObject();
in.close();
conn.disconnect();
***NOTE: sessionId is a string used to keep a session id once it is returned by the first connection to the server;
If I am using http protocol, everything works fine.
If I use https protocos, the PROBLEM ocurs: sometimes, the server instantiates a NEW HttpSession and sends it back to the client even if the request from the client is set-up (via conn.setRequestProperty("Cookie", sessionId);) with the right session id.
The problem is happening no matter what kind of connection I use (direct to tomcat configured with a SSL connector, or using apache+mod_ssl+mod_jk ).
The problem apears to depend of the j2se I use on the client side 'cause if I use j2se1.4.0 the problem dissapears (but here I have a poor performance - inacceptable - I have to wait 5-6 seconds until i have a response).
The problem stays with j2se1.3.1+jsse1.0.2
IMHO, the catalina container, creates a new httpsession if the user connected via https uses a new sslsession. So, I can't overcome this problem, 'cause I can't force the client to use the same sslsession negotiated after the first connection.
Any ideeas?
Gtreetings,
seven
Re: Http Session over SSL - Problem solved by pure luck
Posted by Horia Muntean <ho...@bvb.ro>.
Problem solved by pure luck:
If on the client side, I remove the conn.disconnect(); statement (right
after in.close();) it seems that the ssl client uses the same sslsession
obtained by the first connection and the server does not create new http
sessions.
seven.
----- Original Message -----
From: "Horia Muntean" <ho...@bvb.ro>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 12, 2002 3:34 PM
Subject: Http Session over SSL
Hello to all.
I have a problem with session tracking when I use secure connections:
This is the scenario:
On the server side, I have Slackware 8.0, with tomcat-4.0.3, apache 1.3.20
and a simple servlet witch does only one thing:
public void doPost(HttpServletRequest request, HttpServletResponse
response) throws IOException, ServletException {
HttpSession session = request.getSession();
if(session.isNew()) log("this is a new session:"+session.getId());
ObjectInputStream in = new ObjectInputStream(request.getInputStream());
ObjectOutputStream out = new
ObjectOutputStream(response.getOutputStream());
Object message = null;
try {
message = in.readObject();
out.writeObject(message);
out.flush();
} catch (Exception e) {
e.printStackTrace();
}finally{
in.close();
out.close();
}
}
On the client side, i use HttpConnection in order to connect to this
servlet:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
String target = "http://myserver/access/AccessServlet";
HttpURLConnection conn = (HttpURLConnection)new
URL(target).openConnection();
if(sessionId != null) {
conn.setRequestProperty("Cookie", sessionId);
}
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setUseCaches(false);
ObjectOutputStream out = new ObjectOutputStream(conn.getOutputStream());
out.writeObject(null);
out.flush();
out.close();
String cookie = conn.getHeaderField("Set-cookie");
if (cookie != null) {
int semicolon = cookie.indexOf(';');
sessionId = cookie.substring(0, semicolon);
}
ObjectInputStream in = new ObjectInputStream(conn.getInputStream());
Object response = in.readObject();
in.close();
conn.disconnect();
***NOTE: sessionId is a string used to keep a session id once it is returned
by the first connection to the server;
If I am using http protocol, everything works fine.
If I use https protocos, the PROBLEM ocurs: sometimes, the server
instantiates a NEW HttpSession and sends it back to the client even if the
request from the client is set-up (via conn.setRequestProperty("Cookie",
sessionId);) with the right session id.
The problem is happening no matter what kind of connection I use (direct to
tomcat configured with a SSL connector, or using apache+mod_ssl+mod_jk ).
The problem apears to depend of the j2se I use on the client side 'cause if
I use j2se1.4.0 the problem dissapears (but here I have a poor performance -
inacceptable - I have to wait 5-6 seconds until i have a response).
The problem stays with j2se1.3.1+jsse1.0.2
IMHO, the catalina container, creates a new httpsession if the user
connected via https uses a new sslsession. So, I can't overcome this
problem, 'cause I can't force the client to use the same sslsession
negotiated after the first connection.
Any ideeas?
Gtreetings,
seven
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>