Hi, i discovered that (perhaps) the problem raise in the following rows in
the Request class:
// Attempt to reuse session id if one was submitted in a cookie
// Do not reuse the session id if it is from a URL, to prevent
possible
// phishing attacks
if (connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) {
session = manager.createSession(getRequestedSessionId());
} else {
session = manager.createSession(null);
}
I have an empty sessionpath =true and the sessionid is stored in the
jsessionid cookie so the code goes in the first if reusing the sessionid.
I don't understand very well the comment in the code where it says "Attempt
to reuse session id if one was submitted in a cookie"; is there any reason
for this?
Is it correct to comment this if statement in order to always call the
createSession(null) or is there another way in order to workaround this?
Thanks in advance.
Andrea
2010/11/30 Andrea Corti <ilgrandemazin...@gmail.com>
> Yes, I have emptySessionPath=true in connectors; is this the issue?
>
> Thanks for the link, now i'm trying to debug in order to find some more
> details for you experts.
>
> Thanks.
>
> 2010/11/30 Konstantin Kolinko <knst.koli...@gmail.com>
>
> >> > Follows an extract form a test servlet:
>> >> > HttpSession s = req.getSession();
>> >> > if (s==null) {
>> >> > System.out.println(mt+":Session is null");
>> >> > } else {
>> >> > System.out.println(mt+":Session id="+s.getId()+"\t
>> >> > New="+s.isNew());
>> >> > }
>> >> > System.out.println("pre- invalidate");
>> >> > s.invalidate();
>> >> > System.out.println("post- invalidate: id="+s.getId());
>> >> > s = req.getSession(true);
>> >> > System.out.println("post- get new: id="+s.getId());
>> >>
>> >> Okay, what does the above servlet print when you access it via HTTP,
>> and
>> >> then access it via HTTPS?
>> >>
>> >
>> > HTTP Output:
>> > POST:Session id=F5FAF6115F7BA37ECDA22299C9B3B4BC New=true
>> > pre- invalidate
>> > sessionDestroyed [F5FAF6115F7BA37ECDA22299C9B3B4BC] <-- this log is
>> printed
>> > by a HttpSessionListener
>> > post- invalidate: id=F5FAF6115F7BA37ECDA22299C9B3B4BC
>> > sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed by
>> > a HttpSessionListener
>> > post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> >
>> > We can notice that the session id after the GetSession(true) is
>> different
>> > from the previous one.
>> >
>> > HTTPS Output:
>> > POST:Session id=36BA1CCC7AEC8A9808027D57B6A5A52A New=false
>> > pre- invalidate
>> > sessionDestroyed [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed
>> > by a HttpSessionListener
>> > post- invalidate: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> > sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed by
>> > a HttpSessionListener
>> > post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> >
>> > In this case the session id is always the same!
>> >
>>
>> Do you, by a chance, have emptySessionPath=true on your Connector?
>>
>> > I saw that between release 28
>> > and 29 the following class has been changed but i'm not able to debug
>> it.
>> > java\org\apache\catalina\connector\Response.java (method
>> > addSessionCookieInternal)
>>
>> http://wiki.apache.org/tomcat/FAQ/Developing
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
