Hi Konstantin, >1) Does the above Location header names the same web site? If you are >redirected to a different site, the browser will use a different set of >cookies for it (as you >Set-Cookie headers do not set domain for the >cookie, and thus it is limited to a single site).
Yeah, it's all contained in a single site, on a single WAR, for now. >> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; >> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly >2) Is "ib" you session cookie? Is it created by Tomcat (just with a >different cookie name), or by something else? "ib" is getting set by Rack. I've tried the same WAR on my Windows machine, and it works fine. The only difference between the two instances is the environment (Single Host Tomcat 8.0.9 on Windows from Apache's website vs. a Virtual Host Tomcat 8.0.9 on Ubuntu installed through apt-get. >(CVE-2013-2067) >http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33 Hmm, from this, I'm assuming my cookie should be changing for each POST request. That doesn't seem to be happening on either environment. Could this be my issue? >> Referer: http://trythatagain.redacted.io/login/challenge >5) Leaking a site name.... Bah. The copy-replace apparently ignores chunks of text. Wonderful. (Should I be removing the original message from my replies, to avoid cluttering?) Kind Regards, Rory -----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 03 February 2015 12:52 To: Tomcat Users List Subject: Re: Session being dropped in Virtual Host in 8.0.9 2015-02-03 14:04 GMT+03:00 Rory Kelly <rory.ke...@fernsoftware.com>: > Hi Chris, > > Sorry for the late reply, I wound up working from home yesterday, and > access to the server was less than ideal I'm just gonna dump the > Headers from the login get, through to when it dumps me back out at > the login. > > #response > HTTP/1.1 302 Found > Cache-Control: no-cache, no-store, must-revalidate, max-age=0 > Connection: keep-alive > Content-Length: 0 > Content-Type: text/html;charset=utf-8 > Date: Tue, 03 Feb 2015 10:50:03 GMT > Location: http://redacted.site.io/login 1) Does the above Location header names the same web site? If you are redirected to a different site, the browser will use a different set of cookies for it (as you Set-Cookie headers do not set domain for the cookie, and thus it is limited to a single site). > Server: nginx/1.6.2 (Ubuntu) > Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly 2) Is "ib" you session cookie? Is it created by Tomcat (just with a different cookie name), or by something else? 3) Generally I would expect a cookie change when a FORM challenge is issued, but the Set-Cookie header has the same cookie value as before. Thus my guess of a different site name. 4) Is the time value correct? Is client's clock correct? Comparing the Date header in the response and the cookie, it is valid for 5 minutes only. If client's clock is wrong, it may expire the cookie earlier than in 5 minutes. 5) Leaking a site name.... > Cookie: > ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3 > Connection: keep-alive Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
