You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cayenne.apache.org by "Christian Pasemann (JIRA)" <ji...@apache.org> on 2012/09/13 23:27:07 UTC

[jira] [Commented] (CAY-1739) Cayenne ROP server resets session on every request if BASIC auth is used

    [ https://issues.apache.org/jira/browse/CAY-1739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13455321#comment-13455321 ] 

Christian Pasemann commented on CAY-1739:
-----------------------------------------

So i testet this on Tomcat 7.0.30 and 6.0.35. Problem occurs on both. On Jetty 6.1.22 this issue wont happen.
                
> Cayenne ROP server resets session on every request if BASIC auth is used
> ------------------------------------------------------------------------
>
>                 Key: CAY-1739
>                 URL: https://issues.apache.org/jira/browse/CAY-1739
>             Project: Cayenne
>          Issue Type: Bug
>    Affects Versions: 3.1B1
>            Reporter: Andrus Adamchik
>            Assignee: Andrus Adamchik
>
> Per http://stackoverflow.com/questions/12314857/apache-cayenne-rop-server-no-session-associated-with-request-on-tomcat-7 Tomcat 7 resets HTTP session on every ROP request resulting in a loss of state on the client. 
> I reproduced that on Tomcat 7 and Jetty 8. Jetty 6 works correctly. 
> Debugging on Jetty shows that if BASIC auth is present, container invalidates the existing session and creates a new one during auth credentials checking phase. So it goes like this:
> 1. Connect ... session1 is established
> 2. Bootstrap ... session1 cookie is accepted, but session is immediately invalidated and session2 is created
> 3. Commit ... Client still sends session1 cookie, while the server expects session2, causing an exception:
> org.apache.cayenne.remote.service.MissingSessionException: [v.3.2M1-SNAPSHOT Sep 10 2012 23:14:19] No session associated with request.
> 	at org.apache.cayenne.remote.service.BaseRemoteService.processMessage(BaseRemoteService.java:127)
> I wonder if the new servlet spec is specifying this behavior (?).
> A possible fix is to read the session cookie on the client and reset session ID on every request. 
> A hideous workaround for the users is to remove BASIC auth.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira