-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 AJ,
On 4/30/20 16:22, AJ Chen wrote: > The session problem happens when testing without SSL. If you aren't using SSL, setting secure="true" on the connector will cause a problem, here. All Cookies will be created with secure="true" and the browser will refuse to send them to the server along with requests. So this is likely the problem. So stop using HTTP and always use HTTPS :) - -chris > On Wed, Apr 29, 2020 at 3:05 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > AJ, > > On 4/29/20 13:46, AJ Chen wrote: >>>> On Wed, Apr 29, 2020 at 10:28 AM Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> AJ, >>>> >>>> On 4/29/20 13:24, AJ Chen wrote: >>>>>>> Chris, When i use my latest iphone 11 to access the web >>>>>>> app, tomcat server generates new session every time. >>>>>>> It's normal use, not private browsing.> I did not >>>>>>> change any setting on tomcat regarding session, use >>>>>>> default session tracking. Is there any setting that can >>>>>>> enforce using previous session (i.e. track session)? >>>>>>> Can I save the previous SessionID and use it to get the >>>>>>> session with this id explicitly? >>>> AFAIK, Safari Mobile doesn't do anything weird. >>>> >>>> Are you always using TLS (HTTPS)? >>>> >>>> -chris >>>> >>>>>>> On Wed, Apr 29, 2020 at 10:13 AM Christopher Schultz < >>>>>>> ch...@christopherschultz.net> wrote: >>>>>>> >>>>>>> AJ, >>>>>>> >>>>>>> On 4/28/20 16:13, AJ Chen wrote: >>>>>>>>>> Andre, thanks for asking the questions. Yes, we >>>>>>>>>> try to get understand the behaviors. >>>>>>>>>> >>>>>>>>>> We have seen iphone and other android phones, on >>>>>>>>>> different carriers, from different networks, >>>>>>>>>> encounter this problem - losing session. It does >>>>>>>>>> not seem there is a pattern so far. Users use all >>>>>>>>>> kinds of phones. Some of their phones experience >>>>>>>>>> this problem. >>>>>>> >>>>>>> Are any of them using "private browsing" or anything >>>>>>> like that? >>>>>>> >>>>>>> Are you just using the standard Tomcat-generated >>>>>>> JSESSIONID cookies? >>>>>>> >>>>>>> -chris >>>>>>> >>>>>>>>>> On Tue, Apr 28, 2020 at 12:08 PM André Warnier >>>>>>>>>> (tomcat/perl) <a...@ice-sa.com> wrote: >>>>>>>>>> >>>>>>>>>>> On 28.04.2020 18:28, AJ Chen wrote: >>>>>>>>>>>> Thanks. Martin and Mark. >>>>>>>>>>>> >>>>>>>>>>>> I can recreate the problem: I compare two >>>>>>>>>>>> different mobile phones. One phone can log in >>>>>>>>>>>> and proceed. Server log shows the same >>>>>>>>>>>> session persists (same sessionID upon >>>>>>>>>>>> different requests). The other phone can log >>>>>>>>>>>> in, but upon next request, server log show a >>>>>>>>>>>> new session is always created (new >>>>>>>>>>>> sessionId). >>>>>>>>>>>> >>>>>>>>>>>> Since session tracking works on PC browser >>>>>>>>>>>> and some mobile phone, the >>>>>>>>>>> proxy >>>>>>>>>>>> (if any) in front of aws EC2 server should >>>>>>>>>>>> not be the problem. >>>>>>>>>>> Anything >>>>>>>>>>>> else may be missing? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Asking just in case : - are the 2 phones on the >>>>>>>>>>> same network carrier ? - are they the same >>>>>>>>>>> brand, or at least OS ? - if you connect them >>>>>>>>>>> both to the same local WiFi, do they still act >>>>>>>>>>> differently ? >>>>>>>>>>> >>>>>>>>>>> Note : no idea if this makes any difference, >>>>>>>>>>> but we're trying to find a reason why they act >>>>>>>>>>> differently when using the same Internet >>>>>>>>>>> application server, right ? >>>>>>>>>>> >>>>>>>>>>>> -aj >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Apr 28, 2020 at 12:30 AM Mark Thomas >>>>>>>>>>>> <ma...@apache.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> On 28/04/2020 07:47, Martin Grigorov >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> On Tue, Apr 28, 2020 at 9:11 AM AJ Chen >>>>>>>>>>>>>> <ajc...@web2express.org> >>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Anyway to fix it? thanks. -aj >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> First you need to investigate whether >>>>>>>>>>>>>> there is a proxy. Then what kind of >>>>>>>>>>>>>> proxy. Then where is its configuration. >>>>>>>>>>>>>> Then consult with its manual and see >>>>>>>>>>>>>> whether there is something wrong/missng. >>>>>>>>>>>>> >>>>>>>>>>>>> I'd recommend taking a step back. >>>>>>>>>>>>> >>>>>>>>>>>>> Guessing at what might be wrong and then >>>>>>>>>>>>> trying to fix the problem you have only >>>>>>>>>>>>> guessed at is unlikely to work. >>>>>>>>>>>>> >>>>>>>>>>>>> Can you recreate the problem? You can't >>>>>>>>>>>>> tell if something is fixed if you can't >>>>>>>>>>>>> recreate it. >>>>>>>>>>>>> >>>>>>>>>>>>> Once you recreate the problem then you can >>>>>>>>>>>>> start to narrow it down. You need to track >>>>>>>>>>>>> what is happening to the session ID. You'll >>>>>>>>>>>>> probably need to add some information to >>>>>>>>>>>>> the access log, possibly look at some raw >>>>>>>>>>>>> network logs and/or look at HTTP headers on >>>>>>>>>>>>> the client.. >>>>>>>>>>>>> >>>>>>>>>>>>> Somewhere in all of the above you should >>>>>>>>>>>>> find out where the session ID is getting >>>>>>>>>>>>> dropped. Then you need to figure out why. >>>>>>>>>>>>> Only then you know why this is happening >>>>>>>>>>>>> can you start to think about a solution. >>>>>>>>>>>>> >>>>>>>>>>>>> Mark >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Apr 27, 2020 at 10:54 PM >>>>>>>>>>>>>>> Martin Grigorov < >>>>>>>>>>> mgrigo...@apache.org> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Tue, Apr 28, 2020 at 2:23 AM AJ >>>>>>>>>>>>>>>> Chen <ajc...@web2express.org> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> My web application using tomcat 6 >>>>>>>>>>>>>>>>> can track user session (cookie by >>>>>>>>>>>>>>>>> default) for mobile and PC users in >>>>>>>>>>>>>>>>> dev environment. But when >>>>>>>>>>> deployed >>>>>>>>>>>>>>> on >>>>>>>>>>>>>>>>> cloud server, it fails to track >>>>>>>>>>>>>>>>> session for some mobile users. >>>>>>>>>>>>> meaning, >>>>>>>>>>>>>>>>> servlet always creates a new >>>>>>>>>>>>>>>>> session upon user request. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Any idea why this happens? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Most probably there is a proxy in >>>>>>>>>>>>>>>> front of Tomcat in the cloud >>>>>>>>>>>>>>> environment >>>>>>>>>>>>>>>> which does not properly forward the >>>>>>>>>>>>>>>> JSESSIONID cookie. > >>>> server.xml is configured for HTTPS. > > Can you verify that you aren't being MITM'd? The TLS certificate > you host on your server is the one the client is seeing on the > mobile handse t? > > Are you able to reproduce this error with the Tomcat "examples" > web application which includes a simple session demo? > > I'm wondering if your application adds something extra to the mix. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6rNtAACgkQHPApP6U8 pFi5RA/8DUy+g8Y4Tj5QfsEvrLtP5VJCBw7KpnbcdO/gewverGbYCREQXo5LJwBw tcZTO0LDI5LVLxXpv+m75S6La5LEyxZAnC5HuL5Y8lcXEnOeVn5y53Mn+3HkU1jZ Hy7BphVktt3LY9XI3CFvqHJnJGCL9OIY/u9KfMqHRC8GFhguvYgCDDzWycRjJWs3 oKnUHSJEDMSGcY848RxXm3GuWVFebjK9PxN0jIFee6UlTpl7bkOfJTJi5OEByIAw c8aKPxCCEI5tZAQEIGHjoC4wQP3JsGsKzoqHFPIFhQSEL2NYZfJH9/Rq1oYCZNcy h55X42znjYQJzDBW+zOt5qswzKNSBU90tBW6qlhepCgmk4fBexMKSUTgOK6hXRLI 9IYV2CB/Fx9EAb5O0TddO2dkXnpThmaNSg6A+NHQQCHk++I7/VLKkjqEnmhYo7cY VPgndgRrjeBHi+PgsYVFgmqpLhZmQOO3Y9ckxEwMHM1a2UeLEEH8iswgJdNIaKMD YizY8IAbNjHEwYNDCKIBrM3Keg8EQNdONdCl5SWBFYkevsLyKMvg1WOXD29q/F+d DqeblMxxc4T1FMeJiPv40rkmJJ+Q0E2OnYCMBY6ZMiXCcRAEGQR5xyx+ekaLhu9h SNPv3aUok0qVDaGGCccHIwGbYgvtTsITNP5D9lpyZD8jz67VOeo= =esD8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
