Re: [jetty-discuss] Differences in Tomcat and Jetty in session id tracking

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Y,

I believe the problem maybe that you have setSecureCookies(true) set on
your session manager.  What version of jetty are you using?

A secure cookie that is set on https response will not be sent via 
http if the ;Secure param is included with the cookie.

Can you look at the headers of the response that sets the 
initial session ID and see if it has the secure parameter.

Once we know if that is the issue, and what version of jetty you
are using, we can tell you how to turn it off..... but I would
recommend against it in most circumstances as it can make your
webapp very insecure as sessions can easily be stolen.

cheers

Y wrote:
> Hi,
> 
> Let me try and explain again. In my application, when user make a HTTP
> request from their web browser, I have a filter to obtain http session id
> and process information based on this session id.
> 
>       HttpServletRequest httpreq;                
>       try {
>             httpreq = (HttpServletRequest)request;
>       } catch (ClassCastException e) {
>             if (logger.isEnabledFor(Level.WARN)) {
>                 logger.warn("Unable to cast to HTTP request");
>             }
>             return;
>       }        
> 
>       HttpSession session = httpreq.getSession();
>       logger.info("Session id: " + getId()); 
>       user = (MyUser)session.getAttribute("user");
>       if (user == null) {
>             // create a user and whack it in the session
>             user = new MyUser(request.getRemoteAddr(), httpreq);
>             session.setAttribute("user", user);
>       }
>        ...
> 
> When this was deploy in Apache-(ajp13)->Tomcat environment, a user can make
> a HTTP/HTTPS request from their IE or Mozilla Firefox browser (on same PC or
> laptop), I get the same session id.
> 
> However, when I deploy this in Apache-(apj13)->Jetty environment, a user
> make a HTTP/HTTPS request from their IE browser I get a session id, and if
> the user make another HTTP request from their Mozilla Firefox browser (on
> same PC or laptop) I get a different (another) session id.
> 
> How can I configure Jetty to behave the same as in Tomcat in dealing with
> session id?
> In the Servlet 2.3 Spec, it stated that " ...
> Secure Sockets Layer, the encryption technology used in the HTTPS protocol,
> has a
> mechanism built into it allowing multiple requests from a client to be
> unambiguously identified as being part of a session. A servlet container can
> easily
> use this data to define a session." 
> 
> Can I use this to address my problem? If so, how?
> 
> Any help or comments is much appreciated as I am relatively new to web
> application development.
> 
> Y
> 

-- 
Greg Wilkins<gr...@we...>  US: +1  3104915462   IT: +39 3349267680
http://www.webtide.com           UK: +44(0)2079932589 AU: +61(0)417786631