Re: Tomcat 8.0.30 Session lost

Fri, 08 Jan 2016 02:44:05 -0800 

Is there any chance that the first and correctly authenticated cookies
(despite the debug output "secure=false") are https-only cookies and
won't get transmitted in http, thus triggering new sessions? E.g. any
chance they get rewritten at another level (Apache httpd, ServletFilter,
others) to be secure only - or that the debug output is slightly
incorrect because it omits the secure flag?

Olaf

Am 08.01.2016 um 10:07 schrieb Thomas Scheffler:
> Hi,
>
> I have a very rare problem regarding session handling. It is
> reproducible only on a single server environment. Of cause this is the
> productive server.
>
> I use container authentication and for simplicity 'tomcat-user.xml'.
>
> Login is done via HttpServletRequest.login() method, whenever I need
> to access user and role information. The HttpServletRequest is saved
> in a ThreadLocal during request processing.
>
> While that normally does the job. There is one servlet that produces
> simple thumbnails that triggers a problem. Session handling is done
> via Cookies.
>
> A search result page lists several thumbnail images and the browser
> tries to load them (of cause) in parallel.
>
> After the first thumbnail is loaded, the sessionId suddenly changes.
> As the browser now submitting the "false" sessionId, new sessions are
> created and the browser gets that new sessionId in the response. The
> session from the first request is lost at that point and so are the
> login credentials.
>
> Why are sessionIds changing during the request?
>
>
> Here are the logs I produce via a Servlet Filter:
>
> --------- REQUEST ---------
>
> [dev-mir]  DEBUG  MCRRequestDebugFilter: REQUEST URI:
> /mir/img/pdfthumb/Document_derivate_00000049/2015-05-06_Protokoll%20der%20Sitzung%20des%20Fakult%C3%A4tsrates_%C3%B6ffentlich.pdf
>
> Cookies:
>  {path=null, maxAge=-1, domain=null, name=JSESSIONID, comment=null,
> httpOnly=false, secure=false, class=class javax.servlet.http.Cookie,
> value=BD12BA0ED4546B5BC119727DAF97086B, version=0}
> COOKIES END
>
> REQUEST PARAMETERS:
>  centerThumb: no,
> REQUEST PARAMETERS END
>
> Session is requested by cookie.
> Session is not requested by URL.
> Session is valid.
> SESSION BD12BA0ED4546B5BC119727DAF97086B created at:
> 2016-01-07T15:18:51.068
> SESSION ATTRIBUTES:
>  mycore.session: {}
> SESSION ATTRIBUTES END
>
> Header:
> accept: image/png,image/*;q=0.8,*/*;q=0.5
> accept-encoding: gzip, deflate
> accept-language: en-US,en;q=0.5
> cache-control: max-age=0
> connection: keep-alive
> cookie: JSESSIONID=BD12BA0ED4546B5BC119727DAF97086B
> host: cms.example.com:8291
> if-modified-since: Wed, 06 Jan 2016 14:40:00 GMT
> if-none-match: "4e0daa3453247bcfd985ee28de9616de"
> referer:
> http://cms.example.com:8291/mir/servlets/solr/select?q=objectType:mods%20AND%20createdby:protokoll&sort=mods.dateIssued%20desc
> user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
> Firefox/38.0
> HEADERS END
>
> --------- RESPONSE  ---------
>
> [dev-mir]  DEBUG  MCRRequestDebugFilter: RESPONSE URI:
> /mir/img/pdfthumb/Document_derivate_00000049/2015-05-06_Protokoll%20der%20Sitzung%20des%20Fakult%C3%A4tsrates_%C3%B6ffentlich.pdf
>
> Status: 304
> Header:
> Cache-Control: max-age=31536000
> ETag: "4e0daa3453247bcfd985ee28de9616de"
> Expires: Sun, 24 Jan 2016 15:30:02 GMT
> Set-Cookie: JSESSIONID=0A88AABC33D336900279B2378CD510B1; Path=/mir/;
> HttpOnly
> HEADERS END
>
>
> --------- NEXT REQUEST ---------
>
> [dev-mir]  DEBUG  MCRRequestDebugFilter: REQUEST URI:
> /mir/img/pdfthumb/Document_derivate_00000047/2015-03-25_Protokoll%20der%20Sitzung%20des%20Fakult%C3%A4tsrates_%C3%B6ffentlich.pdf
>
> Cookies:
>  {path=null, maxAge=-1, domain=null, name=JSESSIONID, comment=null,
> httpOnly=false, secure=false, class=class javax.servlet.http.Cookie,
> value=BD12BA0ED4546B5BC119727DAF97086B, version=0}
> COOKIES END
>
> REQUEST PARAMETERS:
>  centerThumb: no,
> REQUEST PARAMETERS END
>
> Session is requested by cookie.
> Session is not requested by URL.
> Session is not valid.
> Header:
> accept: image/png,image/*;q=0.8,*/*;q=0.5
> accept-encoding: gzip, deflate
> accept-language: en-US,en;q=0.5
> cache-control: max-age=0
> connection: keep-alive
> cookie: JSESSIONID=BD12BA0ED4546B5BC119727DAF97086B
> host: cms.example.com:8291
> if-modified-since: Wed, 06 Jan 2016 14:40:02 GMT
> if-none-match: "9e485dcd85a2b2ee373717a67c282873"
> referer:
> http://cms.example.com:8291/mir/servlets/solr/select?q=objectType:mods%20AND%20createdby:protokoll&sort=mods.dateIssued%20desc
> user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
> Firefox/38.0
> HEADERS END
>
>
>
>
> [dev-mir]  DEBUG  MCRServlet: Setting ReqCharEncoding to: UTF-8
> [dev-mir]  DEBUG  MCRHttpSessionListener: HttpSession
> 20934FB3493889B9EE0FB425A002BB28 is beeing created by:
> org.apache.catalina.session.StandardSessionFacade@6a75756b
>
> --------- RESPONSE ---------
>
> [dev-mir]  DEBUG  MCRRequestDebugFilter: RESPONSE URI:
> /mir/img/pdfthumb/Document_derivate_00000047/2015-03-25_Protokoll%20der%20Sitzung%20des%20Fakult%C3%A4tsrates_%C3%B6ffentlich.pdf
>
> Status: 304
> Header:
> Cache-Control: max-age=31536000
> ETag: "9e485dcd85a2b2ee373717a67c282873"
> Expires: Sun, 24 Jan 2016 15:30:03 GMT
> Set-Cookie: JSESSIONID=20934FB3493889B9EE0FB425A002BB28; Path=/mir/;
> HttpOnly
> HEADERS END
>
> kind regards,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to