Menu
▾
▴
Re: [jetty-discuss] Differences in Tomcat and Jetty in session id tracking
|
From: Y <yb...@ya...> - 2006-09-07 05:26:59
|
Hi Greg,
I'm using Jetty 4.2.6.
For further information on my web application, all HTTP requests are
rewriten to HTTPS request to a particular URL.
Y
Greg Wilkins wrote:
>
>
> Y,
>
> I believe the problem maybe that you have setSecureCookies(true) set on
> your session manager. What version of jetty are you using?
>
> A secure cookie that is set on https response will not be sent via
> http if the ;Secure param is included with the cookie.
>
> Can you look at the headers of the response that sets the
> initial session ID and see if it has the secure parameter.
>
> Once we know if that is the issue, and what version of jetty you
> are using, we can tell you how to turn it off..... but I would
> recommend against it in most circumstances as it can make your
> webapp very insecure as sessions can easily be stolen.
>
> cheers
>
>
>
> Y wrote:
>> Hi,
>>
>> Let me try and explain again. In my application, when user make a HTTP
>> request from their web browser, I have a filter to obtain http session id
>> and process information based on this session id.
>>
>> HttpServletRequest httpreq;
>> try {
>> httpreq = (HttpServletRequest)request;
>> } catch (ClassCastException e) {
>> if (logger.isEnabledFor(Level.WARN)) {
>> logger.warn("Unable to cast to HTTP request");
>> }
>> return;
>> }
>>
>> HttpSession session = httpreq.getSession();
>> logger.info("Session id: " + getId());
>> user = (MyUser)session.getAttribute("user");
>> if (user == null) {
>> // create a user and whack it in the session
>> user = new MyUser(request.getRemoteAddr(), httpreq);
>> session.setAttribute("user", user);
>> }
>> ...
>>
>> When this was deploy in Apache-(ajp13)->Tomcat environment, a user can
>> make
>> a HTTP/HTTPS request from their IE or Mozilla Firefox browser (on same PC
>> or
>> laptop), I get the same session id.
>>
>> However, when I deploy this in Apache-(apj13)->Jetty environment, a user
>> make a HTTP/HTTPS request from their IE browser I get a session id, and
>> if
>> the user make another HTTP request from their Mozilla Firefox browser (on
>> same PC or laptop) I get a different (another) session id.
>>
>> How can I configure Jetty to behave the same as in Tomcat in dealing with
>> session id?
>> In the Servlet 2.3 Spec, it stated that " ...
>> Secure Sockets Layer, the encryption technology used in the HTTPS
>> protocol,
>> has a
>> mechanism built into it allowing multiple requests from a client to be
>> unambiguously identified as being part of a session. A servlet container
>> can
>> easily
>> use this data to define a session."
>>
>> Can I use this to address my problem? If so, how?
>>
>> Any help or comments is much appreciated as I am relatively new to web
>> application development.
>>
>> Y
>>
>
>
> --
> Greg Wilkins<gr...@we...> US: +1 3104915462 IT: +39 3349267680
> http://www.webtide.com UK: +44(0)2079932589 AU: +61(0)417786631
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> jetty-discuss mailing list
> jet...@li...
> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>
>
--
View this message in context: http://www.nabble.com/Differences-in-Tomcat-and-Jetty-in-session-id-tracking-tf2020698.html#a6184438
Sent from the Jetty Discuss forum at Nabble.com.
|
