You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cayenne.apache.org by "Christian Pasemann (JIRA)" <ji...@apache.org> on 2012/09/13 23:27:07 UTC
[jira] [Commented] (CAY-1739) Cayenne ROP server resets session on
every request if BASIC auth is used
[ https://issues.apache.org/jira/browse/CAY-1739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13455321#comment-13455321 ]
Christian Pasemann commented on CAY-1739:
-----------------------------------------
So i testet this on Tomcat 7.0.30 and 6.0.35. Problem occurs on both. On Jetty 6.1.22 this issue wont happen.
> Cayenne ROP server resets session on every request if BASIC auth is used
> ------------------------------------------------------------------------
>
> Key: CAY-1739
> URL: https://issues.apache.org/jira/browse/CAY-1739
> Project: Cayenne
> Issue Type: Bug
> Affects Versions: 3.1B1
> Reporter: Andrus Adamchik
> Assignee: Andrus Adamchik
>
> Per http://stackoverflow.com/questions/12314857/apache-cayenne-rop-server-no-session-associated-with-request-on-tomcat-7 Tomcat 7 resets HTTP session on every ROP request resulting in a loss of state on the client.
> I reproduced that on Tomcat 7 and Jetty 8. Jetty 6 works correctly.
> Debugging on Jetty shows that if BASIC auth is present, container invalidates the existing session and creates a new one during auth credentials checking phase. So it goes like this:
> 1. Connect ... session1 is established
> 2. Bootstrap ... session1 cookie is accepted, but session is immediately invalidated and session2 is created
> 3. Commit ... Client still sends session1 cookie, while the server expects session2, causing an exception:
> org.apache.cayenne.remote.service.MissingSessionException: [v.3.2M1-SNAPSHOT Sep 10 2012 23:14:19] No session associated with request.
> at org.apache.cayenne.remote.service.BaseRemoteService.processMessage(BaseRemoteService.java:127)
> I wonder if the new servlet spec is specifying this behavior (?).
> A possible fix is to read the session cookie on the client and reset session ID on every request.
> A hideous workaround for the users is to remove BASIC auth.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira