Christopher Schultz-2 wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Iain,
> 
> On 2/19/2010 7:02 AM, iainmac wrote:
>> I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL.
>> 
>> I have a web application that checks for a current session, and if there
>> isn't one it sends the user to a login screen.  This is working fine from
>> Explorer as it did before in the previous version of Tomcat, but it keeps
>> saying the session is new in Firefox, Safari and Chrome.
>> 
>> In the jsp, this keeps taking me back to the login screen...
>> 
>>      if (session.getAttribute("userName")==null){
>>              response.sendRedirect("login.jsp");
>>              return;
>>      }
> 
> You might want to provide more information, such as:
> 
---------------------------
1. When do you set the "userName" attribute in the session?
On validation of the user.
2. When does authentication occur? How? Container-based, or your own?
I so also have container based as well as my own.
3. When does the session appear to be reset?
It's clear whats happenign - just not sure why:
1. From logon screen a new session is created, against that the username and
other attributes are stored.
2. After the logn screen does this it then redirects to the actual page I
need.
3. This page is made up of a parent frame and 2 sub-frames.
4. The parent frame (the named page that the redirect is to) does that check
above i.e. tries to get the Username from the session object-  This works
successfully.  This page begins to load.
5. The first sub-frame begins to lad, tries the same check - in MSIE (and in
Tomcat 5.0.28 other browers too) we are given the same validated session, so
all works fine.  In other browsers with 6.0.24 a new session is given, and
so I am again redirected to the logon page! In a loop!  Same this happens
with second sub frame.

As a work around I have simply rewritten my pages not to use frames, all
works fine.  I do wish new versions would keep default behaviour or make it
clear the default behaviour has changed.  I think its related to the session
hijacking mentioned in the other reply, but i didn't understand all on the
linked page.
---------------------------

Christopher Schultz-2 wrote:
> 
> I'm surprised this is working any differently in MSIE than other
> browsers. Are you using any kind of javascript to drive this behavior?
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkt+rlIACgkQ9CaO5/Lv0PA0GwCfYs+5Cgte9Y3dW+Xo8gEwWUcj
> 4mIAoKNEastlN4BmGe9pBUWrq/uxwSqG
> =pfbY
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658575.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to