You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@covalent.net on 2001/10/11 11:12:48 UTC
Re: [Tomcat 3.3rc1 and 3.3rc2] Same SessionID delivered to many
clients during session creation ?
Hi Hans,
Could you turn on the debugging on SessionIdGenerator ? Are you using
Linux or Solaris ?
You should see "Generate new sessionid" for each request - and all session
ids to be different. The random generator uses time and ( if available )
/dev/random - I can't see how it would have the same id.
Costin
On Thu, 11 Oct 2001, Hans Schmid wrote:
> Hi developers,
>
> 1.) First a note about an unanswered observation from the mailing list
> archive:
> we are experiencing exactly the same behaviour with Tomcat 3.3-rc1
> with mod_jk AJP1.3 Apache 1.3.19(Solaris 8 Sparc) when using SSL as
> described below.
> Thats why we had to changed to <SessionId cookiesFirst="true"
> noCookies="false" />
>
> 2.)
> What we see using <SessionId cookiesFirst="false" noCookies="true" />
> seems to result sometimes in weird behavior in a different area as well:
>
> Beeing in one Browser and entering data may cause this data to be
> displayed on a different Browser on a different machine. (Same Application!)
> We can not reproduce this every time but it happens way too often.
> This is very critical.
>
> 3.)
> How to reproduce this (may be):
>
> We see the same sessionid appended to both URLs.
> This can be best reproduced by opening 2 Browsers, starting Tomcat and
> starting our Webapp in every Browser shortly after the other.
> (We are using Toplink which reads a huge XMLDescriptor file the first time
> it gets invoked. So we have the chance to start the request in the second
> Browser before the first page gets delivered)
>
> As long as you start the request in the second Browser before the request
> in the first Browser was finished (page delivered) you get the same
> jsessionid
> in the URL or the delivered page
>
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=clkam0vi31">
>
>
>
> Using curl tool on solaris we see the following:
>
> root@zeus[/u/www/INT/einsurance/logs]% curl --help
> curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
> Usage: curl [options...] <url>
> Options: (H) means HTTP/HTTPS only, (F) means FTP only
> ...
>
> for i in 1 2 3 4 5 6 7 8 9 10 ; do for j in 1 2 3 4 5 6 7 8 9 10 ; do
> curl -s 'http://myserver:8080/einsurance/doEntry.do?pid=ph&b2bid=1&cpid=1' |
> grep jsessionid & done; done > curl.out
>
>
> I would expect a new sessionid delivered for every curl process requesting
> our entry page, but see the result:
> The same sessionid gets delivered many times see the lines marked with
> <-----
>
>
> ...
> [306] 14992
> [307] 14994
> [308] 14996
> [309] 14998
> [310] 15000
> [311] 15002
> [312] 15004
> [313] 15006
> [314] 15008
> [315] 15010
> [316] 15012
> [317] 15014
> [318] 15016
> [319] 15018
> [320] 15020
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=3riwydurm1"> <-----
> [321] 15022
> [322] 15024
> [323] 15026
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=l8t147urm3"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=c0upt7urm5">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=elbj0xurm6">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=hhp68surmb">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=b6wdxburma">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=sfq63nurm7">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=j7gnguurmk">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=h2o8wlurmh">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn"> <-----
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=rbbky2urmn">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh">
> <form name="form1" method="post"
> action="/einsurance/doShowStartPage.do;jsessionid=o63jz8urnh">
>
>
>
> This is really strange.
>
> Should I file a bug about this?
>
>
>
> Any Ideas?
>
> Thanks and sorry for the long mail,
> Hans Schmid
>
> einsurance Agency AG
> Information Technology
> Bayerstraße 33
> 80335 München
>
> Tel: +49-89-55292- 860
> Fax: +49-89-55292- 855
>
> eMail: Hans.Schmid@einsurance.de
> http://www.einsurance.de
>
>
>
>
>
>
>
> Hello,
>
> Noone seems to be able to answer this question (posted
> by other people) on the user's list, so I'm hoping
> eomeone on the dev list will be able to.
>
> I am running Apache 1.3.20 (w/ open ssl),
> JDK 1.3, J2EE1.2.1 and Tomcat 3.2.3.
>
> Session management works great with cookies, both
> across HTTP and HTTPS. However, as soon as I turn
> cookies off, and use URL rewriting instead... URL
> rewriting ceases to work for HTTPS links (but still
> works fine on HTTP links) when I view the page under
> HTTP. Also, NOTHING is URL rewritten when the request
> was under HTTPS.
>
> I created a test page that displays
> request.getRequestedSessionId(),
> request.isRequestedSessionIdFromURL() and
> request.isRequestedSessionIdValid(). After clicking
> on a link on this test page that is a URL encoded
> link back to itself, I have an appended ;jsessionid on
> my HTTP request. All URL encoded HTTP links ARE URL
> encoded with the same session id, BUT none of the same
> (but in HTTPS) links are. getRequestedSessionId()
> shows the correct session id,
> isRequestedSessionIdFromURL() shows True, and
> isRequestedSessionIdValid() is True.
>
> Now, when I manually change the URL (WITH appended
> session ID) to HTTPS, NONE of the links are URL Encoded
> (http OR https). However, getRequestedSessionId() STILL
> shows the correct session id,
> isRequestedSessionIdFromURL() STILL shows True, and
> isRequestedSessionIdValid() STILL is True.
>
> So I seem to be having two problems. #1) REGARDLESS of
> protocol, HTTPS links are NEVER URL Encoded. #2) Though
> HTTP links ARE URL Encoded when my request is in HTTP,
> they ARE NOT URL Encoded when my request is in HTTPS.
>
> Can someone shed some light on what is going on here? I
> know (because of displaying getRequestedSessionId(),
> isRequestedSessionIdFromURL() and
> isRequestedSessionIDValid()) that my JSP page is getting
> all of the session information back, but it seems as if
> Tomcat doesn't know how to URL Encode properly for HTTPS
> links OR HTTPS requests.
>
> Thanks in advance!!
> Raiden Johnson
>
> p.s. I just upgraded to Tomcat 3.2.3, because I was having
> the same problem in 3.2.2
>
> Hans Schmid
>
> einsurance Agency AG
> Information Technology
> Bayerstraße 33
> 80335 München
>
> Tel: +49-89-55292- 860
> Fax: +49-89-55292- 855
>
> eMail: Hans.Schmid@einsurance.de
> http://www.einsurance.de
> Here is what we can reproduce:
>
>
>
> root@zeus[/u/www/INT/einsurance/logs]% curl --help
> curl 7.8.1 (sparc-sun-solaris2.8) libcurl 7.8.1 (OpenSSL 0.9.6b)
> Usage: curl [options...] <url>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Hans Schmid
>
> einsurance Agency AG
> Information Technology
> Bayerstraße 33
> 80335 München
>
> Tel: +49-89-55292- 860
> Fax: +49-89-55292- 855
>
> eMail: Hans.Schmid@einsurance.de
> http://www.einsurance.de
>