Pascal,
On 1/9/25 7:31 AM, Pascal Rigaux wrote:
On 08/01/2025 22:13, Christopher Schultz wrote:
[...]
It would allow anyone to force a logout of all current users at will
just by making any request that causes an unauthenticated session to
be created.
Instant DOS.
Note that current "maxAc
existing sessions can work normally.
-Harri
-Original Message-
From: Rémy Maucherat
Sent: torstai 9. tammikuuta 2025 14.40
To: Tomcat Users List
Subject: Re: session Manager "maxActiveSessions" alternative behavior : allow
new session but expire old session
On Thu, Jan 9,
On Thu, Jan 9, 2025 at 1:31 PM Pascal Rigaux
wrote:
>
> Hi,
>
> On 08/01/2025 22:13, Christopher Schultz wrote:
> > [...]
> > It would allow anyone to force a logout of all current users at will just
> > by making any request that causes an unauthenticated session to be created.
> >
> > Instant D
Hi,
On 08/01/2025 22:13, Christopher Schultz wrote:
[...]
It would allow anyone to force a logout of all current users at will just by
making any request that causes an unauthenticated session to be created.
Instant DOS.
Note that current "maxActiveSessions" implementation also causes a DOS:
Pascal,
On 1/8/25 2:20 PM, Pascal Rigaux wrote:
On some applications we have:
- quite low number of users most of the time
- high number of users twice a year
These applications store quite a lot of information in session.
To cope with the surge of users, we would need to:
- either increase mx
Dan,
On 2/1/24 11:54, Dan McLaughlin wrote:
I was able to identify the problem - there was a session configuration with
cookie configuration in the catalina-base/web.xml file.
catalina-base/conf/web.xml?
I did mention on 26 Jan that this wasn't a good idea and could be
causing this kind of p
Hey Mark,
I was able to identify the problem - there was a session configuration with
cookie configuration in the catalina-base/web.xml file.
I just wanted to suggest that it would be great if logging could be enabled
to show not only what the parameters were set to, but also where the
values cam
On 27/01/2024 14:38, Dan McLaughlin wrote:
Hey Mark,
If you see a bug report, then that will mean I was able to reproduce it. I
see different behaviors in our local docker environment. Still, it's
nowhere as complex as our production environment--where everything is
clustered and behind load
Hey Mark,
If you see a bug report, then that will mean I was able to reproduce it. I
see different behaviors in our local docker environment. Still, it's
nowhere as complex as our production environment--where everything is
clustered and behind load balancers, etc... It probably would be easier
On 26/01/2024 22:22, Dan McLaughlin wrote:
Hey Konstantin,
Thanks for the reply.
I synced the source last night. I haven't had a chance to step through with
a debugger yet. But the only way I could get the Cookie Path set was to
modify the context.xml and add sessionCookiePath to every applicat
Hey Konstantin,
Thanks for the reply.
I synced the source last night. I haven't had a chance to step through with
a debugger yet. But the only way I could get the Cookie Path set was to
modify the context.xml and add sessionCookiePath to every application. I'm
pretty sure this wasn't how things w
Dan,
On 1/26/24 02:44, Dan McLaughlin wrote:
Well, so much for that theory. __Secure-JSESSIONID still sets the
sessionCookiePath to /. I even removed the entire session-config from the
web.xml and turned on copyXML to extract the secure#Foo.xml out to the
conf/Catalina/localhost folder. Based
пт, 26 янв. 2024 г. в 04:01, Dan McLaughlin :
>
> Does anyone know what class we would crank the log level up to see why
> Tomcat would ignore cookie-config in our web.xml?
>
> We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. We've
> always depended on the name of the WAR to name
Well, so much for that theory. __Secure-JSESSIONID still sets the
sessionCookiePath to /. I even removed the entire session-config from the
web.xml and turned on copyXML to extract the secure#Foo.xml out to the
conf/Catalina/localhost folder. Based on the documentation, if I don't set
sessionCook
To give more context we originally moved to use __Host-JSESSIONID but were
seeing issues with the cookie getting overwritten when switching between
application contexts on the same host. I thought the routeid would play a
part in keeping the session cookies separate, but the browsers apparently
do
I think I just figured it out. __Host- doesn't allow for setting a path to
anything other than /.
It would have been nice if Tomcat would have logged an error instead of
silently failing, or forcing the path to / and not saying anything. That
would have saved me a ton of time.
--
Thanks,
Dan
O
Which one wins the catalina-base/conf/web.xml or the
Webapp/WEB-INF/web.xml.
I just noticed that the one under catalina base contains:
30
Or do they get merged?
Thanks,
Dan
On Thu, Jan 25, 2024 at 7:00 PM Dan McLaughlin wrote:
> Does anyone know what class we would crank the log level u
Trying to make a PCI-DSS compliant installation. It looks like this filter
does everything that Apache can do with config files, so I'll leave it out.
Kevin Huntly
Email: kmhun...@gmail.com
Cell: 716/424-3311
On 13/04/2023 23:03, Kevin Huntly wrote:
Hello,
With this filter enabled in Tomcat's web.xml:
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
true
My sessions are being immediately lost. If I comment out the filter,
everythis is fine. What
André,
On 12/22/21 16:14, André Warnier (tomcat/perl) wrote:
Hi Chris.
Maybe the problem was due to this :
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxy
the snippet after "Mixing ProxyPass settings in different contexts does
not work:"
In your first configuration below, the ProxyPa
Hi Chris.
Maybe the problem was due to this :
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxy
the snippet after "Mixing ProxyPass settings in different contexts does not
work:"
In your first configuration below, the ProxyPass (including the settings of the variables)
is outside of any
[Session attribute disappearing between requests]
*sigh* Brown paper bag error: the original-request handler was
cleaning up the value before it could be read by the progress-request
handler, when the original request *does not* run a long time
(e.g. zero records to summarize). That's the wrong
Amazing! That's what I love about Tomcat :)
Thank you Luis.
On Sun, 20 Oct 2019 at 12:21, Luis Rodríguez Fernández
wrote:
> Hello M.Manna,
>
> Yes, probably SESSIONS.ser can give you an idea. Maybe if you want to get
> more accurate results perhaps you can
>
> 1. Do it yourself via JMX [1]
> 2.
Hello M.Manna,
Yes, probably SESSIONS.ser can give you an idea. Maybe if you want to get
more accurate results perhaps you can
1. Do it yourself via JMX [1]
2. Give a try to psi-probe [2], it seems that it has everything that you
need
Hope it helps,
Luis
[1]
https://stackoverflow.com/questions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jerry,
On 4/11/19 19:34, Jerry Malcolm wrote:
>
> On 4/11/2019 5:05 PM, Jerry Malcolm wrote:
>> On 4/11/2019 4:22 PM, Christopher Schultz wrote:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>>
>>> Jerry,
>>>
>>> On 4/11/19 15:29, Jerry Ma
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jerry,
On 4/11/19 18:05, Jerry Malcolm wrote:
> On 4/11/2019 4:22 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> Jerry,
>>
>> On 4/11/19 15:29, Jerry Malcolm wrote:
>>> Alternatively, if I had a better unde
Thanks, Luis. I tried that. And it indeed does store only one session
cookie for the entire domain. But it does not change the fact that if
you have two webapps in the same domain (contexts), you still have two
different sessions and therefore two different session ids. You now just
have one
Hello Jerry,
Sure, you can always set the path of your cookies to "/" via the
cookie-config element [1] in your web.xml descriptor:
/
Or via your context.xml [2]
Hope it helps,
Luis
[1]
https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet
On 4/11/2019 5:05 PM, Jerry Malcolm wrote:
On 4/11/2019 4:22 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jerry,
On 4/11/19 15:29, Jerry Malcolm wrote:
Alternatively, if I had a better understanding of how sessions are
managed by both TC and the browser, it
This is a great information.
I'd like to stray a little off topic if that's okay .. still in the
same ballpark.
I like to invent new doodads in software and see if I can do it better.
Over the years, like many, I built-up a library of things that worked
best for me over the years. One of those
On 4/11/2019 4:22 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jerry,
On 4/11/19 15:29, Jerry Malcolm wrote:
Alternatively, if I had a better understanding of how sessions are
managed by both TC and the browser, it might help me figure out
what is going wrong.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jerry,
On 4/11/19 15:29, Jerry Malcolm wrote:
> Alternatively, if I had a better understanding of how sessions are
> managed by both TC and the browser, it might help me figure out
> what is going wrong. I know a session key is generated by TC and
I'm looking forward to hearing from the dev folks on this. I suspect
it has something to do with the context configuration.
A long time ago, I started doing my own session management, but then I
don't mind building out the pieces I needed for clustering. In fact,
I decided to store session infor
Alternatively, if I had a better understanding of how sessions are
managed by both TC and the browser, it might help me figure out what is
going wrong. I know a session key is generated by TC and sent back in a
response. And I'm assuming that the browser must return that session
key on subseq
Thanks for the quick response, Luis. Answers below:
On 4/11/2019 3:22 AM, Luis Rodríguez Fernández wrote:
Hello Jerry,
I'm using single sign-on
Do you mean tomcat Single Sign On valve? [1], a third party solution or
your custom implementation? That can change the game completely :)
Yes, sta
Hello Jerry,
> I'm using single sign-on
Do you mean tomcat Single Sign On valve? [1], a third party solution or
your custom implementation? That can change the game completely :)
> some RewriteRules in httpd
Can you share them? That could change the game also :)
Cheers,
Luis
[1]
https://tomc
On 09/02/2019 19:32, Усманов Азат Анварович wrote:
> Hello everyone! I have a webapp running on tomcat 7.0.92 with java 7 with
> APR/tomcat native 1.2.19 on RHEL 6
>
> I've tested website(debug.ieml.ru) on which my webapp is running on ssllabs
> server test and one thing I've noticed is the o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Alejandro,
On 9/7/17 5:49 PM, Alejandro Vargas M. wrote:
> Is there anyway to delete a session in Tomcat when the user not
> logout correctly from the application, normally they not logged out
> correctly, they just click on the "X" (they said), the
On 8/9/17 8:35 AM, Mark Thomas wrote:
On 09/08/17 16:09, David Wall wrote:
We're using Tomcat 8.5.16 with Java 1.8.0_91, Vaadin 7.7.10 and
Atmosphere Websockets.
We have had reports of sessions logging out while users are active with
our Vaadin-based application. This has been frustrating as w
On 09/08/17 16:09, David Wall wrote:
> We're using Tomcat 8.5.16 with Java 1.8.0_91, Vaadin 7.7.10 and
> Atmosphere Websockets.
>
> We have had reports of sessions logging out while users are active with
> our Vaadin-based application. This has been frustrating as we can't
> seem to track down wh
On 21/06/2016 03:54, mw...@loftware.com wrote:
>
>
>> -Original Message-
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Sent: Monday, June 20, 2016 11:32 AM
>> To: Tomcat Users List
>> Subject: Re: session-timeout and maxInactiveInterval
>>
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Monday, June 20, 2016 11:32 AM
> To: Tomcat Users List
> Subject: Re: session-timeout and maxInactiveInterval
>
> On 20/06/2016 16:00, mw...@loftware.com wrote:
> > We are runni
On 20/06/2016 16:00, mw...@loftware.com wrote:
> We are running 7.0.69 and Java 1.8.0_91.
>
> We ran into an incident at a customer where the customer had set
> session-timeout to 0 – which according to the servlet 3.0 spec, the
> session should never time out. However, the customer was basically
Yes, I think if uncommented the
The ClustedManage could be disabled even if is defined.
在 16/4/25 下午12:57, Keiichi Fujino 写道:
2016-04-23 15:29 GMT+09:00 sanigo :
Hi!
I have tested quite a few times to confirm that session replication
will not happen after uncommenting in
conf/con
2016-04-23 15:29 GMT+09:00 sanigo :
> Hi!
>I have tested quite a few times to confirm that session replication
> will not happen after uncommenting in
> conf/context.xml.
>If the line is commented out, the session replication will work
> happily.
>
Is there a warning message to y
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Qadeer,
On 2/18/16 12:03 PM, Qadeer Khan wrote:
> Ok I got a little more information the user
Get this, too: What exact version of Tomcat. 7.0.what?
> On clicking on the session number '0', he is getting the following
> error. Any idea?
>
> FAIL -
call will create a session.
It is as simple as that!!
- Original Message -
From: "Mark Thomas"
To: "Tomcat Users List"
Sent: Thursday, February 18, 2016 11:50:24 AM
Subject: Re: Session on Tomcat 7 manager screem
On 18/02/2016 16:45, Qadeer Khan wrote:
Can you
quot;
> To: "Tomcat Users List"
> Sent: Thursday, February 18, 2016 11:50:24 AM
> Subject: Re: Session on Tomcat 7 manager screem
>
> On 18/02/2016 16:45, Qadeer Khan wrote:
>> Can you tell what a session definition is?
>
> You are claiming there is a bug with
;
Stacktrace:
Thanks
Original Message -
From: "Mark Thomas"
To: "Tomcat Users List"
Sent: Thursday, February 18, 2016 11:50:24 AM
Subject: Re: Session on Tomcat 7 manager screem
On 18/02/2016 16:45, Qadeer Khan wrote:
> Can you tell what a session definition is?
You are c
application and as I said earlier session is not incrementing
It is as simple as that!!
- Original Message -
From: "Mark Thomas"
To: "Tomcat Users List"
Sent: Thursday, February 18, 2016 11:50:24 AM
Subject: Re: Session on Tomcat 7 manager screem
On 18/02/201
On 18/02/2016 16:45, Qadeer Khan wrote:
> Can you tell what a session definition is?
You are claiming there is a bug with session handling yet you don't know
what a session is? Oh dear.
Time for you to spend some time reading the Servlet specification.
Mark
>
>
> On 18/02/2016 16:28, Qadeer
Can you tell what a session definition is?
On 18/02/2016 16:28, Qadeer Khan wrote:
> Hey Guys,
>
> Someone please throw some light as I am being asked about it several time now
Then maybe try reading the responses you received to your previous post
and answering the questions you were asked.
On 18/02/2016 16:28, Qadeer Khan wrote:
> Hey Guys,
>
> Someone please throw some light as I am being asked about it several time now
Then maybe try reading the responses you received to your previous post
and answering the questions you were asked.
> There is are several running java applicatio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Qadeer,
On 2/12/16 1:55 PM, Qadeer Khan wrote:
> I have a few sample applications installed on two machines. One my
> local and the other on a server. When I run an application via
> manager UI, on my local, it increments the session
Good.
> But i
: 703-798-5621
Email: qk...@redhat.com
http://www.redhat.com
- Original Message -
From: "Mark Thomas"
To: "Tomcat Users List"
Sent: Friday, February 12, 2016 12:04:48 PM
Subject: Re: Session is not incrementing on Manager GUI on Tomcat 7
On 12/02/2016 15:57, Qadeer
at so bear with me ...
You are missing the point. I'll try again.
Why assume that an application uses sessions?
Mark
>
>
>
> - Original Message -
> From: "Mark Thomas"
> To: "Tomcat Users List"
> Sent: Friday, February 12, 2016 10:44:30
: "Mark Thomas"
To: "Tomcat Users List"
Sent: Friday, February 12, 2016 10:44:30 AM
Subject: Re: Session is not incrementing on Manager GUI on Tomcat 7
On 12/02/2016 15:34, Qadeer Khan wrote:
> There is a running applications on tomcat server but the 'session' field
On 12/02/2016 15:34, Qadeer Khan wrote:
> There is a running applications on tomcat server but the 'session' field on
> the Manager screen always show a '0". only for /manager it shows a '1'.
>
> How to fix that?
Fix what? Why assume that an application uses sessions?
Mark
--
On Fri, Jul 3, 2015 at 9:17 AM, Charles Richard <
charle...@thelearningbar.com> wrote:
> On Fri, Jul 3, 2015 at 9:58 AM, Daniel Mikusa wrote:
>
> > On Fri, Jul 3, 2015 at 8:36 AM, Charles Richard <
> > charle...@thelearningbar.com> wrote:
> >
> > > Hi,
> > >
> > > We are currently using a product
On Fri, Jul 3, 2015 at 9:58 AM, Daniel Mikusa wrote:
> On Fri, Jul 3, 2015 at 8:36 AM, Charles Richard <
> charle...@thelearningbar.com> wrote:
>
> > Hi,
> >
> > We are currently using a product called Terracotta to do session
> > fail-over/replication but are considering moving away from this pr
On Fri, Jul 3, 2015 at 8:36 AM, Charles Richard <
charle...@thelearningbar.com> wrote:
> Hi,
>
> We are currently using a product called Terracotta to do session
> fail-over/replication but are considering moving away from this product as
> it doesn't seem to support Java 7 and Tomcat 7.
>
> What
Late to this party :-)
On Wed, Feb 4, 2015 at 2:03 AM, Rory Kelly wrote:
> Rack is a bundle of fun, since this application is a Jruby application,
> which is being converted into a Java application to run on Tomcat. That's a
> whole other can of worms :)
I've only run Rails apps out of Tomcat (
ent: 03 February 2015 20:40
To: Tomcat Users List
Subject: Re: Session being dropped in Virtual Host in 8.0.9
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rory,
On 2/3/15 6:04 AM, Rory Kelly wrote:
> Sorry for the late reply, I wound up working from home yesterday, and
> access to the serve
03 Feb 2015 11:07:06 -; HttpOnly
> Transfer-Encoding: chunked X-XSS-Protection: 1; mode=block
> x-content-type-options: nosniff x-frame-options: SAMEORIGIN
I don't see a single session id in any of those requests, other than
the "ib" token you said is generated by &quo
ory
-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: 03 February 2015 12:52
To: Tomcat Users List
Subject: Re: Session being dropped in Virtual Host in 8.0.9
2015-02-03 14:04 GMT+03:00 Rory Kelly :
> Hi Chris,
>
> Sorry for the late reply, I wound
2015-02-03 14:04 GMT+03:00 Rory Kelly :
> Hi Chris,
>
> Sorry for the late reply, I wound up working from home yesterday, and access
> to the server was less than ideal
> I'm just gonna dump the Headers from the login get, through to when it dumps
> me back out at the login.
>
> #response
> HTTP/1
-; HttpOnly
Transfer-Encoding: chunked
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
Kind Regards,
Rory
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 30 January 2015 17:18
To: Tomcat Users List
Subjec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rory,
On 1/30/15 11:01 AM, Rory Kelly wrote:
> I apologise in advance if the formatting is absolutely terrible.
Actually, it was totally readable ;)
>> Are you using cookies for session-tracking?
>
>> Can you watch the HTTP conversation to see wh
Hi Chris,
I apologise in advance if the formatting is absolutely terrible.
>Are you using cookies for session-tracking?
>Can you watch the HTTP conversation to see what's being sent back and forth
>during that workflow? LiveHttpHeaders is great for Firefox, and these days
>Chrome, Firefox, and I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rory,
On 1/30/15 6:08 AM, Rory Kelly wrote:
> I’m having a lot of trouble with maintaining a session in a Virtual
> Host environment on 8.0.9. I installed Tomcat through apt-get on an
> Ubuntu 14.04 server
>
> My application is a JRuby padrino bund
Chris,
On 1/13/15, 11:06 AM, "Christopher Schultz"
wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Peter,
>
>On 1/13/15 1:10 PM, Peter Rifel wrote:
>> On 1/13/15, 6:32 AM, "Christopher Schultz"
>> wrote:
>>
>> I was wondering, because there is an unfortunately situation with
>> ses
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Peter,
On 1/13/15 1:10 PM, Peter Rifel wrote:
> On 1/13/15, 6:32 AM, "Christopher Schultz"
> wrote: On 1/12/15 4:32 PM, Peter
> Rifel wrote:
On 1/12/15, 11:36 AM, "Christopher Schultz"
wrote: On 1/12/15 2:28 PM,
Peter Rifel wrote:
Chris,
On 1/13/15, 6:32 AM, "Christopher Schultz"
wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Peter,
>
>On 1/12/15 4:32 PM, Peter Rifel wrote:
>> On 1/12/15, 11:36 AM, "Christopher Schultz"
>> wrote: On 1/12/15 2:28 PM, Peter
>> Rifel wrote:
> Chris,
>
> On 1/12/15,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Peter,
On 1/12/15 4:32 PM, Peter Rifel wrote:
> On 1/12/15, 11:36 AM, "Christopher Schultz"
> wrote: On 1/12/15 2:28 PM, Peter
> Rifel wrote:
Chris,
On 1/12/15, 11:08 AM, "Christopher Schultz"
wrote:
Peter,
>
Chris,
On 1/12/15, 11:36 AM, "Christopher Schultz"
wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Peter,
>
>On 1/12/15 2:28 PM, Peter Rifel wrote:
>> Chris,
>>
>> On 1/12/15, 11:08 AM, "Christopher Schultz"
>> wrote:
>>
>> Peter,
>>
>> On 1/12/15 12:51 PM, Peter Rifel wrote:
>>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Peter,
On 1/12/15 2:28 PM, Peter Rifel wrote:
> Chris,
>
> On 1/12/15, 11:08 AM, "Christopher Schultz"
> wrote:
>
> Peter,
>
> On 1/12/15 12:51 PM, Peter Rifel wrote:
I'm running Tomcat 8.0.15 with Java 1.8.0_25 on Ubuntu 14.04.
We hav
Chris,
On 1/12/15, 11:08 AM, "Christopher Schultz"
wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Peter,
>
>On 1/12/15 12:51 PM, Peter Rifel wrote:
>> I'm running Tomcat 8.0.15 with Java 1.8.0_25 on Ubuntu 14.04. We
>> have 5 instances that are all setup with session clustering as
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Peter,
On 1/12/15 12:51 PM, Peter Rifel wrote:
> I'm running Tomcat 8.0.15 with Java 1.8.0_25 on Ubuntu 14.04. We
> have 5 instances that are all setup with session clustering as
> follows:
>
>
> stateTransferTimeout="5" /> className="org.apach
Spent sometime in the debugger and it is Shiro that is appending the JSESSIONID
on a redirect if the session cookie hasn't been set yet.
So, now I'm off to figure out how to turn it off in Shiro.
Thanks again for your help!
Sincerely,
Stephen McCants
On Wed, 19 Nov 2014 01:51:53 +0300
Konstant
2014-11-19 0:53 GMT+03:00 Konstantin Kolinko :
> 2014-11-19 0:21 GMT+03:00 Stephen McCants :
>> Hello Konstantin Kolinko,
>>
>> I fixed my dumb web.xml schema declaration. Thanks for pointing that out.
>>
>> I also added the COOKIE tracking mode to the example servlet and it worked
>> there (the
2014-11-19 0:21 GMT+03:00 Stephen McCants :
> Hello Konstantin Kolinko,
>
> I fixed my dumb web.xml schema declaration. Thanks for pointing that out.
>
> I also added the COOKIE tracking mode to the example servlet and it worked
> there (the URL encoded link did not contain the JSESSIONID).
>
> S
Hello Konstantin Kolinko,
I fixed my dumb web.xml schema declaration. Thanks for pointing that out.
I also added the COOKIE tracking mode to the example servlet and it worked
there (the URL encoded link did not contain the JSESSIONID).
So, next I turned on logEffectiveWebXml="true" and verifie
2014-11-18 2:49 GMT+03:00 Stephen McCants :
> Hello,
>
> I'm trying to remove the JSESSIONID from my URL the first time someone hits
> my Tomcat Web App, but I've not been able to get it working for some
> reason that eludes me. This is under Tomcat 7.0.37 and Tomcat 7.0.56.
>
> First thing I tri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Diego,
On 9/30/14 6:56 AM, Diego Ruotolo wrote:
> Working on my company webapp I notice the following problem:
> sometimes the jsession cookie is lost, and therefore my whole http
> session is lost.
>
> The context is:
>
> - Tomcat v. 5.5.36
>
>
On Tue, Sep 30, 2014 at 6:56 AM, Diego Ruotolo
wrote:
> Hi everybody,
>
>
>
> Working on my company webapp I notice the following problem: sometimes the
> jsession cookie is lost, and therefore my whole http session is lost.
>
>
>
> The context is:
>
> - Tomcat v. 5.5.36
>
>- JDK
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Akash,
On 5/8/14, 9:56 PM, Akash Jain wrote:
> Hi,
>
> I am trying to resolve session fixation issue with tomcat 7.0.52
>
> We have a Spring MVC application running on it, and the Auth method
> is provided by another application which writes cooki
On 5/8/2014 8:56 PM, Akash Jain wrote:
Hi,
I am trying to resolve session fixation issue with tomcat 7.0.52
We have a Spring MVC application running on it, and the Auth method is
provided by another application which writes cookie, and we use the cookie
value to check whether the user is valid
Hi Guys,
Any solution for this??
On 03-01-2014 02:31 PM, Sanket Paranjape wrote:
Hi,
I am using Tomcat 7.0.47 on windows 7 with JDK 1.7.
I want to achieve session replications on multiple subdomains. If I
have a domain as xyz.example.com and abc.example.com, then I would
like to store sessi
Hi Daniel,
At last we managed to solve the replication issue. (not exactly a solution
but a workaround) :
the problem was:
The multicast tried to broadcast to local ip written in the hosts file
127.0.1.1
We had to write the actual ip adress in the hosts file
instead :
127.0.1.1 - Tomcat1
we ch
On Dec 29, 2013, at 10:51 AM, Nir A wrote:
> Hi,
>
> If i want to create a cluster of 2 tomcats:
>
> Tomcat1 - ip 111.111.111.111
> Tomcat2 - ip 222.222.222.222
>
>
> Where exactly the in the server.xml i should say that my cluster contains
> both of these ips?
By default, you don't. If you
On Dec 29, 2013, at 10:11 AM, Nir A wrote:
> Hi,
> So we have 3 tomcats in our cluster and we are failing to make them
> replicate our sessions still.
>
> Our IT guy said it might has something to do with the machines of the
> tomcats.
>
> He said that since the machines the tomcats in the clus
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Dhaval,
On 12/9/13, 3:04 PM, Dhaval Jaiswal wrote:
> setting of session replication worked well. However, we do have
> threading in some products. Like we are hitting the target API and
> getting response from there servers. If will not get the resp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin,
On 11/8/13, 11:40 AM, Martin wrote:
> Thank you Christopher for your in depth annotations. We just
> downgraded from v6.0.34 to .20 and the problem has vanished. We
> obviously have some changes to do before we can upgrade to v7 as
> far as
Thank you Christopher for your in depth annotations. We just downgraded
from v6.0.34 to .20 and the problem has vanished. We obviously have some
changes to do before we can upgrade to v7 as far as the session handling
is concerned. Your post will help us along the way. Thanks again.
Martin
Am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin,
On 11/8/13, 9:59 AM, Martin wrote:
> Recently we moved our application from an old ubuntu to a newer
> centos box. We upgraded our JAVA version, tomcat (from v5 to latest
> v6) and basically all server components.
I would highly recommend t
On 02/10/2013 22:26, Stefan Haberl wrote:
> I've a context.xml like so:
>
> useHttpOnly="true" disableURLRewriting="true" />
>
>
>
>
>
>
> I'm using Spring Security, which creates a new session after a user
> has been authenticated to prevent session fixation attacks.
> Everything works as
Hi Christopher,
I've deployed the test app on one of my test boxes (sorry, no DNS - only
IP-Address):
http://178.238.228.136:8080/TestServlet
Dump of TestServlet.java:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotati
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Stefan,
On 10/3/13 5:40 AM, Stefan Haberl wrote:
> I've created a minimal test case to isolate the problem. The
> TestServlet is not doing much but invalidating sessions, generating
> new ones and checking if the new one gets a different ID than th
Hi all,
I've created a minimal test case to isolate the problem. The TestServlet is not
doing much but invalidating sessions, generating new ones and checking if the
new one gets a different ID than the old one (see attached WAR). IMHO I think
this could be a Tomcat bug?
Steps to reproduce the
Hi Chuck,
Sorry, that was a copy and paste error into my mail client. My context.xml of
course looks like:
Stefan
On 02.10.2013, at 23:36, "Caldarale, Charles R"
wrote:
>> From: Stefan Haberl [mailto:birnbu...@gmail.com]
>> Subject: Session does not get invalidated when sessionCookie
1 - 100 of 758 matches
Mail list logo
