-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rory,
On 2/3/15 6:04 AM, Rory Kelly wrote: > Sorry for the late reply, I wound up working from home yesterday, > and access to the server was less than ideal I'm just gonna dump > the Headers from the login get, through to when it dumps me back > out at the login. > > ##Login > > #request POST /login HTTP/1.1redacted.site.io User-Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://redacted.site.io/login Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > Connection: keep-alive > > #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store, > must-revalidate, max-age=0 Connection: keep-alive Content-Length: > 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 10:52:07 GMT Location: http://redacted.site.io/login/challenge > Server: nginx/1.6.2 (Ubuntu) Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:57:07 -0000; HttpOnly > X-XSS-Protection: 1; mode=block x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > #request GET /login/challenge HTTP/1.1redacted.sitename.io > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > en-US,en;q=0.5 gzip, deflate http://redacted.sitename.io/login > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > keep-alive > > #response HTTP/1.1 200 OK nginx/1.6.2 (Ubuntu) Tue, 03 Feb 2015 > 10:47:37 GMT text/html;charset=utf-8 chunked keep-alive no-cache, > no-store, must-revalidate, max-age=0 1; mode=block nosniff > SAMEORIGIN > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:52:37 -0000; HttpOnly gzip > > > ##Challenge > > #request POST /login/challenge HTTP/1.1redacted.site.io User-Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://redacted.site.io/login/challenge Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > Connection: keep-alive > > #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store, > must-revalidate, max-age=0 Connection: keep-alive Content-Length: > 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 10:50:03 GMT Location: http://redacted.site.io/statements Server: > nginx/1.6.2 (Ubuntu) Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly > X-XSS-Protection: 1; mode=block x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > #Request for /statements #request GET /statements > HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1; > WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://redacted.site.io/login/challenge Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > Connection: keep-alive > > #response HTTP/1.1 302 Found Cache-Control: no-cache, no-store, > must-revalidate, max-age=0 Connection: keep-alive Content-Length: > 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 10:50:03 GMT Location: http://redacted.site.io/login Server: > nginx/1.6.2 (Ubuntu) Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly > X-XSS-Protection: 1; mode=block x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > ##Redirect GET /login HTTP/1.1redacted.site.io User-Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://boyle.fern.io/login/challenge Cookie: > ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3 > > Connection: keep-alive > > HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate, > max-age=0 Connection: keep-alive Content-Encoding: gzip > Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 11:02:06 GMT Server: nginx/1.6.2 (Ubuntu) Set-Cookie: > ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3; > path=/; expires=Tue, 03 Feb 2015 11:07:06 -0000; HttpOnly > Transfer-Encoding: chunked X-XSS-Protection: 1; mode=block > x-content-type-options: nosniff x-frame-options: SAMEORIGIN I don't see a single session id in any of those requests, other than the "ib" token you said is generated by "the rack" (a load-balancer?). Are you sure you have any session at all? - -chris > -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 30 January 2015 17:18 > To: Tomcat Users List Subject: Re: Session being dropped in Virtual > Host in 8.0.9 > > Rory, > > On 1/30/15 11:01 AM, Rory Kelly wrote: >> I apologise in advance if the formatting is absolutely terrible. > > Actually, it was totally readable ;) > >>> Are you using cookies for session-tracking? > >>> Can you watch the HTTP conversation to see what's being sent >>> back and forth during that workflow? LiveHttpHeaders is great >>> for Firefox, and these days Chrome, Firefox, and IE have >>> something similar built-into them. > >>> From the looks of it, the cookie is storing the session ID. >> Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35 >> GMT Content-Type - text/html;charset=utf-8 Transfer-Encoding - >> chunked Connection - keep-alive Cache-Control - no-cache, >> no-store, must-revalidate, max-age=0 X-XSS-Protection - 1; >> mode=block x-content-type-options - nosniff x-frame-options - >> SAMEORIGIN Set-Cookie - >> ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a; >> >> path=/; expires=Fri, 30 Jan 2015 15:57:35 -0000; HttpOnly >> Content-Encoding - gzip Everything in the HTTP requests seem >> fine, except the response from my POST at the Challenge point, >> where, instead of a 200, I'm receiving a 302. This is what tipped >> me off that it was the session that was causing the issue. > > This is only one response from the server, and it's not clear what > the request was. Can you post: > > 1. Request to protected resource (and response) 2. Request to login > page (and response) 3. Request which is the submission of the login > form (and response) ... and it sounds like here is where the > session is lost 4. The next request, which evidently has lost the > session (and response) > >>> field... or at least whatever your clients DNS will resolve to >>> your server. That may actually be "virtual1" but I just thought >>> I'd mention it. It shouldn't have any >bearing on the >>> session-handling, unless your web application switches >>> hostnames by telling a client requesting "virtual1" that it >>> should redirect to >"testsitex.site.io" or vice-versa. > >> I went ahead and changed this as well, as it does seem like a >> good practice to use. > > -chris > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU0TIaAAoJEBzwKT+lPKRYq2UQAJ+wVdwYnoDQTYNEe71M+0/5 u9w9pnJioaUlXOitdv9OF31a7chJzAyZ90iWd1R1y3yGd9lkgsUfyNeZqxF2QoBO JMv/kXlN4anGEy88UXOPDqjlu54D3d2s+qp+Q9pH9tB6TgkMwmtU4nosiZ3m4BoJ r+t055/bQrU1Ou+cAeevfYZcjSO8MzYhbdetwd8wXj7rQFrev/mYKgjzO0MsHW7j eZ8oOcsRX/NjaUBtwrUTtr/h8qB91veO79z+ZgMtzV8gr9nB/rEM+fevFxZsu6Zs 5LOVdYq3iM7RvazSA0CPmIGDvF44c5LnCAKmxS1RXmizgV6j0xUqLZZaM9/+DOvn bUVr2+/ASClD8Hd6ep4Ra6LwJBi1rik2fNsmwgu3Cz3zpTR37NvEYuDEMkyTsAgk qiJKDwQ67iRJ5U8NvpTPrbNxwzJMsfJbpgeuZPQmg6wEpiIZyHSwOrKH3WRdC1aJ wrBouIeVCvg4uTuu5KOq3GXKZ1B3ZTt7hsZXW1wXnK1UH21i1vz5rxXujjLqFr5d xXRbzrEdFltw7NeW6yWvLTwV3ht5Wp/i/LMdLGzH48V+bs3AqoLOqGexaUmJh2TZ rBGsaN88hAkb3Imq573Zn9aFqziSykvg7QqjJsd+5cO9ztUTYCYiEWl27o+Dq9kn NF2OXRX75t35UiAUwQP+ =wvkr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
