Yeah, I'm already sending some stuff over by URL anyway, but there seems to be some concern floating around the net regarding session hijacking if the session ID is readily available. However, although I wouldn't pretend to be an expert.
Anyway, I took Christopher's advice, and deleted all the cookies, even restarted my browser (it's been running for several days), and did some testing. I now have two (2!) JSESSIONID's in my browser, as well as userid and password cookies, but on the server side, it says no cookies were sent. And, I finally found the "Headers" section under "Net" in Firebug. As near as I can decipher this, all my requests are sending a JSESSIONID cookie *except* the one for the XMLHttpRequest. The first time running after deleting all the cookies, that request doesn't have any cookies. Because a session gets created, from that point forward it has the session it created with it sent back in the request header, but, of course, that session doesn't have any of the attributes stored in it. Looking at these cookies with the WebDeveloper tools in Firefox, the difference is that the new one created during the XMLHttpRequest is associated with a "/" path, the other one (the "real" one) with "/myAppName" path. Is is possible the difference in these path associations has something to do with not finding the session? I do use a different URL mapping for this servlet because of a "CheckUser" problem I had way back that started this whole chain. Next step is to download Frank's http://www.omnytex.com/test.zip and get that to work (also, I see what you mean by Headers under Firebug Console, now, too- it is also repeated under Firebug Net). > -----Original Message----- > From: Christopher Schultz [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 22, 2007 10:04 AM > To: Tomcat Users List > Subject: Re: Session IDs & XMLHttpRequests > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Allen, > > Williams, Allen wrote: > > Will it work with POST as well as GET? Although I guess > I'll soon find > > out;-) > > It should work equally well with GET and POST. The browser should send > cookies with every type of request (not just GET and POST). > > I strongly encourage you to make arrangements for non-cookie-using > people. When you emit the HTML (and javascript) to make your > XMLHttpRequest, try making the URL dynamic and running it through > HttpServletResponse.encodeURL to add the jsessionid to the > URL if necessary. > > This will make your application a little more friendly to those who > either don't have cookies available (usually an IT policy in an office > or something) or who choose to turn them off. I find this to be > courteous to your users. > > Just my .02. > > - -chris > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGUvhK9CaO5/Lv0PARAtq0AKCfANKRxmb3ljBRiDLsb6gghTZHBgCcCdxW > tUbl8cpKi44F53BrbHBmRjA= > =zz// > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
