You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brian Cross <br...@tigernet.com> on 2011/02/04 23:02:59 UTC
Unable to store a session with Tomcat 7 linux and Internet Explorer
Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
and ran into a strange issue. I cannot get an http session to "stick"
when using Internet Explorer. A new session gets created every time you
load the test page in IE only. I have verified this issue on IE 6, IE
8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
to get a session to stick, but in IE itcreates a new one for each
request. This does NOT happen when running Tomcat 7 on Windows. Thanks
very much for your help!
My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>
Test URL (broken) on Tomcat 7:
http://www.tigernet.com:8180/t/test/sessiontest.jsp
Test URL (working) on Tomcat 6
http://www.tigernet.com/t/test/sessiontest.jsp
Old Bug possibly related?
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
--Brian.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Unable to store a session with Tomcat 7 linux and Internet
Explorer
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
> Simple initial observations show that the cookie returned by Tomcat 7
> has the "Version:1" and "HttpOnly" options set.
So a few quick things to try:
1) Set the useHttpOnly attribute to false in the <Context> of interest.
2) Set the system property org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0 to false.
3) Set the system property org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY to false (which is actually the default).
Also, if org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set to true, try turning it off.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brian,
On 2/4/2011 5:02 PM, Brian Cross wrote:
> Test URL (broken) on Tomcat 7:
> http://www.tigernet.com:8180/t/test/sessiontest.jsp
>
> Test URL (working) on Tomcat 6
> http://www.tigernet.com/t/test/sessiontest.jsp
Simple initial observations show that the cookie returned by Tomcat 7
has the "Version:1" and "HttpOnly" options set.
> Old Bug possibly related?
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
Looks related -- at least the original post.
I wonder which options trips-up MSIE. Can you do some tests with cookies
explicitly setting the version and httponly options and see which ones
make MSIE choke?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1MfBIACgkQ9CaO5/Lv0PC+JACffKZEDuu2LLGbBFZPqapdDHie
a/UAoIQmk5GLAyyeNf7MeFgLmpOZLdFg
=iNcD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 2/8/2011 2:51 PM, Mark Thomas wrote:
> Finally, you are committer and all the docs are commit-then-review. If
> you have improvements just commit them.
Yes, but I find it makes sense to discuss these things before just doing
them. CTR is only so useful :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1RrKYACgkQ9CaO5/Lv0PBnvACgwskf6TAU4dvhLwkgm9jsuL2e
zvAAnAj1AWSX8+8WroH/1Jg3pT5i0qwA
=i03h
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Posted by Mark Thomas <ma...@apache.org>.
On 08/02/2011 18:06, Christopher Schultz wrote:
> Brian,
>
> On 2/4/2011 8:33 PM, Brian Cross wrote:
>> Thanks very much Chris, Chuck, and Mark. I did indeed have
>
>> org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
>
>> I remember setting that a long time ago to fix a problem, but I can't
>> remember what it was.
>
>> I added
>> org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
>
>> as Mark suggested, and that fixed it right up. Thanks again.
>
> So, correct me if I'm wrong, but setting STRICT_SERVLET_COMPLIANCE=true
> makes sessions break in all versions of MSIE. Do I have that right?
As far as I am aware, yes.
> If that's the case, we might want to have a warning about it near the
> explanation of what that flag does. The docs for FWD_SLASH_IS_SEPARATOR
> *do* say something, but I think it's worth adding to the docs for
> STRICT_SERVLET_COMPLIANCE.
Did you read the docs? It already does say that.
And before you say you were looking at the Tomcat 6 docs, the above
discussion only applies to Tomcat 7.
Finally, you are committer and all the docs are commit-then-review. If
you have improvements just commit them.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brian,
On 2/4/2011 8:33 PM, Brian Cross wrote:
> Thanks very much Chris, Chuck, and Mark. I did indeed have
>
> org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
>
> I remember setting that a long time ago to fix a problem, but I can't
> remember what it was.
>
> I added
> org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
>
> as Mark suggested, and that fixed it right up. Thanks again.
So, correct me if I'm wrong, but setting STRICT_SERVLET_COMPLIANCE=true
makes sessions break in all versions of MSIE. Do I have that right?
If that's the case, we might want to have a warning about it near the
explanation of what that flag does. The docs for FWD_SLASH_IS_SEPARATOR
*do* say something, but I think it's worth adding to the docs for
STRICT_SERVLET_COMPLIANCE.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1RhiMACgkQ9CaO5/Lv0PC0ygCgprZuOPKG54jKeiD4Q+09Gt8T
9jYAoJOSzBhdhEOnLO7Q+DOYIF6S1T7g
=/kNu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Posted by Brian Cross <br...@tigernet.com>.
Thanks very much Chris, Chuck, and Mark. I did indeed have
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
I remember setting that a long time ago to fix a problem, but I can't remember what it was.
I added org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
as Mark suggested, and that fixed it right up. Thanks again.
--Brian.
On 2/4/2011 5:35 PM, Mark Thomas wrote:
> On 04/02/2011 22:02, Brian Cross wrote:
>> Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
>> and ran into a strange issue. I cannot get an http session to "stick"
>> when using Internet Explorer. A new session gets created every time you
>> load the test page in IE only. I have verified this issue on IE 6, IE
>> 8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
>> to get a session to stick, but in IE itcreates a new one for each
>> request. This does NOT happen when running Tomcat 7 on Windows. Thanks
>> very much for your help!
>>
>> My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>
>>
>> Test URL (broken) on Tomcat 7:
>> http://www.tigernet.com:8180/t/test/sessiontest.jsp
>>
>> Test URL (working) on Tomcat 6
>> http://www.tigernet.com/t/test/sessiontest.jsp
>>
>> Old Bug possibly related?
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
> Sort of.
>
> Tomcat 7 is stricter in enforcing various specifications including the
> cookie specification which states that / is not allowed in a cookie
> value unquoted. Unfortunately / gets used a lot in cookies in the path
> and if correctly quoted - i.e. path="/..." - IE chokes. Not exactly a
> surprise considering just how badly IE adheres to the cookie specs. To
> avoid exactly the issue you are seeing, Tomcat 7 does not enforce this
> part of the specification by default.
>
> I suggest a careful read of the following Tomcat 7 docs
> http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html with
> particular reference to
> org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR and
> org.apache.catalina. STRICT_SERVLET_COMPLIANCE. My guess is that you
> have set one or other of these to true.
>
> I usually run Tomcat with the following:
> org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true
> org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Posted by Mark Thomas <ma...@apache.org>.
On 04/02/2011 22:02, Brian Cross wrote:
> Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
> and ran into a strange issue. I cannot get an http session to "stick"
> when using Internet Explorer. A new session gets created every time you
> load the test page in IE only. I have verified this issue on IE 6, IE
> 8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
> to get a session to stick, but in IE itcreates a new one for each
> request. This does NOT happen when running Tomcat 7 on Windows. Thanks
> very much for your help!
>
> My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>
>
> Test URL (broken) on Tomcat 7:
> http://www.tigernet.com:8180/t/test/sessiontest.jsp
>
> Test URL (working) on Tomcat 6
> http://www.tigernet.com/t/test/sessiontest.jsp
>
> Old Bug possibly related?
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
Sort of.
Tomcat 7 is stricter in enforcing various specifications including the
cookie specification which states that / is not allowed in a cookie
value unquoted. Unfortunately / gets used a lot in cookies in the path
and if correctly quoted - i.e. path="/..." - IE chokes. Not exactly a
surprise considering just how badly IE adheres to the cookie specs. To
avoid exactly the issue you are seeing, Tomcat 7 does not enforce this
part of the specification by default.
I suggest a careful read of the following Tomcat 7 docs
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html with
particular reference to
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR and
org.apache.catalina. STRICT_SERVLET_COMPLIANCE. My guess is that you
have set one or other of these to true.
I usually run Tomcat with the following:
org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org