Re: Tomcat refusing jsessionid's
On Sat, 25 May 2002, tek1 wrote: Date: Sat, 25 May 2002 23:45:12 +0900 From: tek1 [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Tomcat refusing jsessionid's is it possible for a client to append JSESSIONID=sessionId to the url (i.e. http://theurl.com/theservlet?JSESSIONID=A4A0314540585318A4F5E327F1457375) and still use the POST method, or is the usage of GET mandatory? Sessions work just fine with both GET and POST -- but they are guaranteed to fail if used in the manner you described above. The reason for this is that session ids are *path* parameters, not *query* parameters. In addition, the parameter name is jsessionid instead of JSESSIONID. Try something like this instead: http://theurl.com/theservlet;jsessionid=A4A0314540585318A4F5E327F1457375 (Note the semicolon rather than the question mark). See the servlet specification (http://java.sun.com/products/servlet/download.html) and the relevant RFCs about URL syntax, to understand the differences. thanks. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat refusing jsessionid's
just to confirm, jsessionid can be used regardless of whether or not one is using GET or POST? thanks. At 10:33 02/05/27 -0700, you wrote: Sessions work just fine with both GET and POST -- but they are guaranteed to fail if used in the manner you described above. The reason for this is that session ids are *path* parameters, not *query* parameters. In addition, the parameter name is jsessionid instead of JSESSIONID. Try something like this instead: http://theurl.com/theservlet;jsessionid=A4A0314540585318A4F5E327F1457375 (Note the semicolon rather than the question mark). See the servlet specification (http://java.sun.com/products/servlet/download.html) and the relevant RFCs about URL syntax, to understand the differences. thanks. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat refusing jsessionid's
Cool, after I wrote it I thought that might be what you meant. Maybe you should just turn off cookies and _only_ use url rewriting? That's what I'd try, but maybe you have a reason not to do that? fillup On 5/25/02 8:24 PM, Jiger Java [EMAIL PROTECTED] wrote: Philip, I did try using url re-writing using jsessionid'd that is why I wrote this mail. TOmcat seems to use jsessionid in cookies first if not there only then take jsessionid from url. This is my guess coz that is what is happening. Does anyone have any idea how to force using jsessionid in such situations to make user jump between two domains(though they are in reality same machine same tomcat) without his knowlege. -Jiger From: Phillip Morelock [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Tomcat refusing jsessionid's Date: Sat, 25 May 2002 09:14:27 -0700 MIME-Version: 1.0 Received: from [192.18.49.131] by hotmail.com (3.2) with ESMTP id MHotMailBEB9037700594004310EC0123183C6C00; Sat, 25 May 2002 09:14:47 -0700 Received: (qmail 2532 invoked by uid 97); 25 May 2002 16:14:29 - Received: (qmail 2516 invoked by uid 98); 25 May 2002 16:14:29 - From tomcat-user-return-20632-jigerjava Sat, 25 May 2002 09:16:15 -0700 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Id: Tomcat Users List tomcat-user.jakarta.apache.org Delivered-To: mailing list [EMAIL PROTECTED] X-Antivirus: nagoya (v4198 created Apr 24 2002) User-Agent: Microsoft-Entourage/10.0.0.1309 Message-ID: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N HTTP sessionsbrowsers are configured to associate cookies with domain names. They will not transmit a cookie to a domain other than the originating domain (at least they shouldn't). It has nothing to do with IP address, only domain name. I am not sure I understand your question, but if I am reading it correctly, the only thing you can do is some manual persistence scheme, such as using a database and url rewriting or some similar scheme. does this help? fillup On 5/25/02 3:43 AM, Jiger Java [EMAIL PROTECTED] wrote: Hi, I have checked the archives already but did not come across similar problems so I would like to ask it. My Platform: Tomcat 4.0. JDK 1.4 RHT Linux We have this application hosted on an generic server say http://www.server.com now our reseller's can map their DNS such that www.reseller.com points to www.server.com this will be dynamic( since reseller's will be doing it themselves) so I can't use virtual host feature of tomcat. The idea is that customer of that reseller should not come to know that they are actually buying stuff from us so the customer *always* sees the reseller's website url in his browser. All pages post to http://www.reseller.com/customer/xyz , which would post to us due to DNS mapping. So far so good. But in many critical places like Login, customer signup, we have hardcoded url's to our https:// server (same machine same tomcat) becoz reseller need not buy Secure Certificates. This is the problem. Inspite of my adding jsessionid to all such pages right from posting to https:// to META refreshes, I still can't seem to get back the session. Logically, if I pass in the right sessionid, tomcat should pick up the correct session but it is still picking up pre-login session refusing the new sessionid got in the Authenticationservlet. I attach the jsessionid something like this http://www.reseller.com:10001/anacreon/servlet/CustomerIndexServlet?jsessioni d =A4A0314540585318A4F5E327F1457375 Does anyone have any idea how to solve it. Please ask me if you need more clarifications. I need to get this thing out. Thanks Awaiting your replies, Jiger _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat refusing jsessionid's
I am appending jsessionid to the url. Abt PoST OR GET I am doing a meta refesh so It is a get I believe. Jiger From: tek1 [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Tomcat refusing jsessionid's Date: Sat, 25 May 2002 23:45:12 +0900 MIME-Version: 1.0 Received: from nagoya.betaversion.org ([192.18.49.131]) by hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Sat, 25 May 2002 20:47:45 -0700 Received: (qmail 25827 invoked by uid 97); 26 May 2002 03:47:20 - Received: (qmail 25782 invoked by uid 98); 26 May 2002 03:47:20 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Id: Tomcat Users List tomcat-user.jakarta.apache.org Delivered-To: mailing list [EMAIL PROTECTED] X-Antivirus: nagoya (v4198 created Apr 24 2002) In-reply-to: [EMAIL PROTECTED] X-Sender: (Unverified) Message-id: [EMAIL PROTECTED] X-Mailer: QUALCOMM Windows Eudora Version 4.3.2-J X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 26 May 2002 03:47:45.0745 (UTC) FILETIME=[18B57410:01C20468] is it possible for a client to append JSESSIONID=sessionId to the url (i.e. http://theurl.com/theservlet?JSESSIONID=A4A0314540585318A4F5E327F1457375) and still use the POST method, or is the usage of GET mandatory? thanks. At 08:54 02/05/26 +0530, you wrote: Philip, I did try using url re-writing using jsessionid'd that is why I wrote this mail. TOmcat seems to use jsessionid in cookies first if not there only then take jsessionid from url. This is my guess coz that is what is happening. Does anyone have any idea how to force using jsessionid in such situations to make user jump between two domains(though they are in reality same machine same tomcat) without his knowlege. -Jiger From: Phillip Morelock [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Tomcat refusing jsessionid's Date: Sat, 25 May 2002 09:14:27 -0700 MIME-Version: 1.0 Received: from [192.18.49.131] by hotmail.com (3.2) with ESMTP id MHotMailBEB9037700594004310EC0123183C6C00; Sat, 25 May 2002 09:14:47 -0700 Received: (qmail 2532 invoked by uid 97); 25 May 2002 16:14:29 - Received: (qmail 2516 invoked by uid 98); 25 May 2002 16:14:29 - From tomcat-user-return-20632-jigerjava Sat, 25 May 2002 09:16:15 -0700 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Id: Tomcat Users List tomcat-user.jakarta.apache.org Delivered-To: mailing list [EMAIL PROTECTED] X-Antivirus: nagoya (v4198 created Apr 24 2002) User-Agent: Microsoft-Entourage/10.0.0.1309 Message-ID: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N HTTP sessionsbrowsers are configured to associate cookies with domain names. They will not transmit a cookie to a domain other than the originating domain (at least they shouldn't). It has nothing to do with IP address, only domain name. I am not sure I understand your question, but if I am reading it correctly, the only thing you can do is some manual persistence scheme, such as using a database and url rewriting or some similar scheme. does this help? fillup On 5/25/02 3:43 AM, Jiger Java [EMAIL PROTECTED] wrote: Hi, I have checked the archives already but did not come across similar problems so I would like to ask it. My Platform: Tomcat 4.0. JDK 1.4 RHT Linux We have this application hosted on an generic server say http://www.server.com now our reseller's can map their DNS such that www.reseller.com points to www.server.com this will be dynamic( since reseller's will be doing it themselves) so I can't use virtual host feature of tomcat. The idea is that customer of that reseller should not come to know that they are actually buying stuff from us so the customer *always* sees the reseller's website url in his browser. All pages post to http://www.reseller.com/customer/xyz , which would post to us due to DNS mapping. So far so good. But in many critical places like Login, customer signup, we have hardcoded url's to our https:// server (same machine same tomcat) becoz reseller need not buy Secure Certificates. This is the problem. Inspite of my adding jsessionid to all such pages right from posting to https:// to META refreshes, I still can't seem to get back the session. Logically, if I pass in the right sessionid, tomcat should pick up the correct session but it is still picking up pre-login session refusing the new sessionid got in the Authenticationservlet
Re: Tomcat refusing jsessionid's
HTTP sessionsbrowsers are configured to associate cookies with domain names. They will not transmit a cookie to a domain other than the originating domain (at least they shouldn't). It has nothing to do with IP address, only domain name. I am not sure I understand your question, but if I am reading it correctly, the only thing you can do is some manual persistence scheme, such as using a database and url rewriting or some similar scheme. does this help? fillup On 5/25/02 3:43 AM, Jiger Java [EMAIL PROTECTED] wrote: Hi, I have checked the archives already but did not come across similar problems so I would like to ask it. My Platform: Tomcat 4.0. JDK 1.4 RHT Linux We have this application hosted on an generic server say http://www.server.com now our reseller's can map their DNS such that www.reseller.com points to www.server.com this will be dynamic( since reseller's will be doing it themselves) so I can't use virtual host feature of tomcat. The idea is that customer of that reseller should not come to know that they are actually buying stuff from us so the customer *always* sees the reseller's website url in his browser. All pages post to http://www.reseller.com/customer/xyz , which would post to us due to DNS mapping. So far so good. But in many critical places like Login, customer signup, we have hardcoded url's to our https:// server (same machine same tomcat) becoz reseller need not buy Secure Certificates. This is the problem. Inspite of my adding jsessionid to all such pages right from posting to https:// to META refreshes, I still can't seem to get back the session. Logically, if I pass in the right sessionid, tomcat should pick up the correct session but it is still picking up pre-login session refusing the new sessionid got in the Authenticationservlet. I attach the jsessionid something like this http://www.reseller.com:10001/anacreon/servlet/CustomerIndexServlet?jsessionid =A4A0314540585318A4F5E327F1457375 Does anyone have any idea how to solve it. Please ask me if you need more clarifications. I need to get this thing out. Thanks Awaiting your replies, Jiger _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat refusing jsessionid's
Philip, I did try using url re-writing using jsessionid'd that is why I wrote this mail. TOmcat seems to use jsessionid in cookies first if not there only then take jsessionid from url. This is my guess coz that is what is happening. Does anyone have any idea how to force using jsessionid in such situations to make user jump between two domains(though they are in reality same machine same tomcat) without his knowlege. -Jiger From: Phillip Morelock [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Tomcat refusing jsessionid's Date: Sat, 25 May 2002 09:14:27 -0700 MIME-Version: 1.0 Received: from [192.18.49.131] by hotmail.com (3.2) with ESMTP id MHotMailBEB9037700594004310EC0123183C6C00; Sat, 25 May 2002 09:14:47 -0700 Received: (qmail 2532 invoked by uid 97); 25 May 2002 16:14:29 - Received: (qmail 2516 invoked by uid 98); 25 May 2002 16:14:29 - From tomcat-user-return-20632-jigerjava Sat, 25 May 2002 09:16:15 -0700 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Id: Tomcat Users List tomcat-user.jakarta.apache.org Delivered-To: mailing list [EMAIL PROTECTED] X-Antivirus: nagoya (v4198 created Apr 24 2002) User-Agent: Microsoft-Entourage/10.0.0.1309 Message-ID: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N HTTP sessionsbrowsers are configured to associate cookies with domain names. They will not transmit a cookie to a domain other than the originating domain (at least they shouldn't). It has nothing to do with IP address, only domain name. I am not sure I understand your question, but if I am reading it correctly, the only thing you can do is some manual persistence scheme, such as using a database and url rewriting or some similar scheme. does this help? fillup On 5/25/02 3:43 AM, Jiger Java [EMAIL PROTECTED] wrote: Hi, I have checked the archives already but did not come across similar problems so I would like to ask it. My Platform: Tomcat 4.0. JDK 1.4 RHT Linux We have this application hosted on an generic server say http://www.server.com now our reseller's can map their DNS such that www.reseller.com points to www.server.com this will be dynamic( since reseller's will be doing it themselves) so I can't use virtual host feature of tomcat. The idea is that customer of that reseller should not come to know that they are actually buying stuff from us so the customer *always* sees the reseller's website url in his browser. All pages post to http://www.reseller.com/customer/xyz , which would post to us due to DNS mapping. So far so good. But in many critical places like Login, customer signup, we have hardcoded url's to our https:// server (same machine same tomcat) becoz reseller need not buy Secure Certificates. This is the problem. Inspite of my adding jsessionid to all such pages right from posting to https:// to META refreshes, I still can't seem to get back the session. Logically, if I pass in the right sessionid, tomcat should pick up the correct session but it is still picking up pre-login session refusing the new sessionid got in the Authenticationservlet. I attach the jsessionid something like this http://www.reseller.com:10001/anacreon/servlet/CustomerIndexServlet?jsessionid =A4A0314540585318A4F5E327F1457375 Does anyone have any idea how to solve it. Please ask me if you need more clarifications. I need to get this thing out. Thanks Awaiting your replies, Jiger _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat refusing jsessionid's
is it possible for a client to append JSESSIONID=sessionId to the url (i.e. http://theurl.com/theservlet?JSESSIONID=A4A0314540585318A4F5E327F1457375) and still use the POST method, or is the usage of GET mandatory? thanks. At 08:54 02/05/26 +0530, you wrote: Philip, I did try using url re-writing using jsessionid'd that is why I wrote this mail. TOmcat seems to use jsessionid in cookies first if not there only then take jsessionid from url. This is my guess coz that is what is happening. Does anyone have any idea how to force using jsessionid in such situations to make user jump between two domains(though they are in reality same machine same tomcat) without his knowlege. -Jiger From: Phillip Morelock [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Tomcat refusing jsessionid's Date: Sat, 25 May 2002 09:14:27 -0700 MIME-Version: 1.0 Received: from [192.18.49.131] by hotmail.com (3.2) with ESMTP id MHotMailBEB9037700594004310EC0123183C6C00; Sat, 25 May 2002 09:14:47 -0700 Received: (qmail 2532 invoked by uid 97); 25 May 2002 16:14:29 - Received: (qmail 2516 invoked by uid 98); 25 May 2002 16:14:29 - From tomcat-user-return-20632-jigerjava Sat, 25 May 2002 09:16:15 -0700 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Id: Tomcat Users List tomcat-user.jakarta.apache.org Delivered-To: mailing list [EMAIL PROTECTED] X-Antivirus: nagoya (v4198 created Apr 24 2002) User-Agent: Microsoft-Entourage/10.0.0.1309 Message-ID: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N HTTP sessionsbrowsers are configured to associate cookies with domain names. They will not transmit a cookie to a domain other than the originating domain (at least they shouldn't). It has nothing to do with IP address, only domain name. I am not sure I understand your question, but if I am reading it correctly, the only thing you can do is some manual persistence scheme, such as using a database and url rewriting or some similar scheme. does this help? fillup On 5/25/02 3:43 AM, Jiger Java [EMAIL PROTECTED] wrote: Hi, I have checked the archives already but did not come across similar problems so I would like to ask it. My Platform: Tomcat 4.0. JDK 1.4 RHT Linux We have this application hosted on an generic server say http://www.server.com now our reseller's can map their DNS such that www.reseller.com points to www.server.com this will be dynamic( since reseller's will be doing it themselves) so I can't use virtual host feature of tomcat. The idea is that customer of that reseller should not come to know that they are actually buying stuff from us so the customer *always* sees the reseller's website url in his browser. All pages post to http://www.reseller.com/customer/xyz , which would post to us due to DNS mapping. So far so good. But in many critical places like Login, customer signup, we have hardcoded url's to our https:// server (same machine same tomcat) becoz reseller need not buy Secure Certificates. This is the problem. Inspite of my adding jsessionid to all such pages right from posting to https:// to META refreshes, I still can't seem to get back the session. Logically, if I pass in the right sessionid, tomcat should pick up the correct session but it is still picking up pre-login session refusing the new sessionid got in the Authenticationservlet. I attach the jsessionid something like this http://www.reseller.com:10001/anacreon/servlet/CustomerIndexServlet?jsessionid =A4A0314540585318A4F5E327F1457375 Does anyone have any idea how to solve it. Please ask me if you need more clarifications. I need to get this thing out. Thanks Awaiting your replies, Jiger _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]