RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Hi Guys, First of all thanks for your assistance so far. I played a lot trying to remove the response.setHeader() and leaving meta tags only in my code, then, removing meta-tags and leaving response.setHeader(), I tried all possible combinations of meta tags,etc. What I ended up and thought of letting you know is that the problem was caused by using response.setHeader(). By removing these statement and leaving the relevant Cache-control, Expires and Pragma meta-tags in the code, all works fine. It is indeed very strange to notice this, it should not really make any difference and cause problems to FireFox specifically. Once more thanks for your support. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 07:38 To: 'George Sexton'; 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Thanks for the suggestion George. I don't think is the proxy because IE and other browsers work with the same proxy so I don't see why FireFox should not. I will try your suggestion though and let you know the outcome. As far as other suggestions, no. 1 is particularly interesting and will try it, as well as no.2. For your third suggestion I explained to you why I am doing it. As far as the X-Cache: MISS, etc. these appear with IE as well but IE works so it can't be the problem. Michael -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 05:22 To: 'Tomcat Users List'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Since I regularly use Firefox and sessions I'm pretty sure that there is really nothing unique to that combination that is causing the problem. It could be the proxy server below is causing the issue. The obvious thing to do would be to try from a different network without a proxy server and see if your issue clears up. I would also recommend that you do a little cleanup on your HTML pages and see if there is some effect on the issue. The specific things I would fix in your HTML are: 1)No DocType, causing the page to render in Quirks mode. FYI, this will cause differences in the box model which will result in IE 6.0 and FireFox/Mozilla displaying pages very differently. 2)No Content type/charset meta in the header. 3)You have a duplicate HEAD block in the bottom of your page. Your reference to the cache-control entry: Cache-Control: max-age=0 Doesn't appear in my browser. I would suspect that its being added by your proxy server. X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 I would also say that if you're going to use the addHeader() to put in cache/pragma entries that you should not use the META tags. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Hi Michael, use LiveHttpHeaders to track all requests until you get your session expired. Then post the log from that here. You only posted one request, how can a session expire for one request :) - it can't Filip Michael Andreas Omerou wrote: Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) Regarding Filip's email and monitoring HTTP Headers I am impressed that it seems to work for you. I run FireFox on Windows XP Pro SP2 and what happens is that when a page finishes loading, the session expires on the server. When the user/browser requests another page the correct session id is sent from the browser but the server detects that this session id sent is no more valid (expired) and so we have a timeout. However, this behaviour, only occurs with FireFox. I tried it from another PC with XP Pro SP2 too but the problem is the same. With IE, NetScape and Opera all is ok. I want to emphasize that this behaviour does not happen only when switching from SSL to non-SSL or vice versa. Even if I try to access pages such as the About Us or the Contact Us the session expires again. However, in that case the problem is not visible to the user since those pages do not contain any session specific data so even with a new session it is ok. Try the following though and you will see what I mean. On tophotelchoices.com do a search for a hotel. Let the results be displayed and then, go to the About Us page. Then, click your browser's back button and instead of going back to the search results you get a timeout (if you get search results it will be from browser's cache, do a reload and you will get timeout). Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Since less than 2% of the users out there now have IE 5.x, I would personally drop this. Even further, once you set a valid doctype you ought to think about running your pages the the w3 validator http://validator.w3.org/ Doing so can reduce the cases where your pages work differently in different browsers. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 10:18 PM To: 'George Sexton'; 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) This is really an old thing I read somewhere that IE might not respond to the top headers so the only way to force IE to work as you want it to (no caching) was to do this (put one more header at the end). Back at that time (IE 5 was used with 6 not being released yet) this solved me many problems so since then I use this trick it in my code whenever I do not want caching. Michael -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 04:42 To: 'Tomcat Users List'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Just out of curiousity, why do your pages have two HEAD blocks (one at the top, and one at the bottom of the page)? George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
And yet it would be so easy to test. You seem to think that the presence of this header (and how it alters the page results) will affect both browsers in the same way. Why do you think this? George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] On Behalf Of BuyRentVillas.com Administrator Sent: Thursday, February 16, 2006 10:35 PM To: 'George Sexton'; 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Thanks for the suggestion George. I don't think is the proxy because IE and other browsers work with the same proxy so I don't see why FireFox should not. I will try your suggestion though and let you know the outcome. As far as other suggestions, no. 1 is particularly interesting and will try it, as well as no.2. For your third suggestion I explained to you why I am doing it. As far as the X-Cache: MISS, etc. these appear with IE as well but IE works so it can't be the problem. Michael -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 05:22 To: 'Tomcat Users List'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Since I regularly use Firefox and sessions I'm pretty sure that there is really nothing unique to that combination that is causing the problem. It could be the proxy server below is causing the issue. The obvious thing to do would be to try from a different network without a proxy server and see if your issue clears up. I would also recommend that you do a little cleanup on your HTML pages and see if there is some effect on the issue. The specific things I would fix in your HTML are: 1) No DocType, causing the page to render in Quirks mode. FYI, this will cause differences in the box model which will result in IE 6.0 and FireFox/Mozilla displaying pages very differently. 2) No Content type/charset meta in the header. 3) You have a duplicate HEAD block in the bottom of your page. Your reference to the cache-control entry: Cache-Control: max-age=0 Doesn't appear in my browser. I would suspect that its being added by your proxy server. X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 I would also say that if you're going to use the addHeader() to put in cache/pragma entries that you should not use the META tags. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) Regarding Filip's email and monitoring HTTP Headers I am impressed that it seems to work for you. I run FireFox on Windows XP Pro SP2 and what happens is that when a page finishes loading, the session expires on the server. When the user/browser requests another page the correct session id is sent from the browser but the server detects that this session id sent is no more valid (expired) and so we have a timeout. However, this behaviour, only occurs with FireFox. I tried it from another PC with XP Pro SP2 too but the problem is the same. With IE, NetScape and Opera all is ok. I want to emphasize that this behaviour does not happen only when switching from SSL to non-SSL or vice versa. Even if I try to access pages such as the About Us or the Contact Us the session expires again. However, in that case the problem is not visible to the user since those pages do not contain any session specific data so even with a new session it is ok. Try the following though and you will see what I mean. On tophotelchoices.com do a search for a hotel. Let the results be displayed and then, go to the About Us page. Then, click your browser's back button and instead of going back to the search results you get a timeout (if you get search results it will be from browser's cache, do a reload and you will get timeout). Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 22:16 To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. This is Firefox on Fedora 4. The site works fine. This must be a browser issue, can you tell us a little bit more about what version and platform your browser is on. 1. Request to the home - non secure http://www.tophotelchoices.com/ GET / HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Just out of curiousity, why do your pages have two HEAD blocks (one at the top, and one at the bottom of the page)? George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) Regarding Filip's email and monitoring HTTP Headers I am impressed that it seems to work for you. I run FireFox on Windows XP Pro SP2 and what happens is that when a page finishes loading, the session expires on the server. When the user/browser requests another page the correct session id is sent from the browser but the server detects that this session id sent is no more valid (expired) and so we have a timeout. However, this behaviour, only occurs with FireFox. I tried it from another PC with XP Pro SP2 too but the problem is the same. With IE, NetScape and Opera all is ok. I want to emphasize that this behaviour does not happen only when switching from SSL to non-SSL or vice versa. Even if I try to access pages such as the About Us or the Contact Us the session expires again. However, in that case the problem is not visible to the user since those pages do not contain any session specific data so even with a new session it is ok. Try the following though and you will see what I mean. On tophotelchoices.com do a search for a hotel. Let the results be displayed and then, go to the About Us page. Then, click your browser's back button and instead of going back to the search results you get a timeout (if you get search results it will be from browser's cache, do a reload and you will get timeout). Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 22:16 To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 22:16 To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. This is Firefox on Fedora 4. The site works fine. This must be a browser issue, can you tell us a little bit more about what version and platform your browser is on. 1. Request to the home - non secure http://www.tophotelchoices.com/ GET / HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.tophotelchoices.com/ HTTP/1.x 200 OK Date: Wed, 15 Feb 2006 20:08:55 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Set-Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF; Path=/ Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html;charset=UTF-8 2. Click on the request button - switch from HTTP to HTTPS https://www.tophotelchoices.com/bookingServlet1?hotel=ASI GET /bookingServlet1?hotel=ASI HTTP/1.1 Host: www.tophotelchoices.com:443 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.tophotelchoices.com/searchResults.jsp Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF HTTP/1.x 200 OK Date: Wed, 15 Feb
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Since I regularly use Firefox and sessions I'm pretty sure that there is really nothing unique to that combination that is causing the problem. It could be the proxy server below is causing the issue. The obvious thing to do would be to try from a different network without a proxy server and see if your issue clears up. I would also recommend that you do a little cleanup on your HTML pages and see if there is some effect on the issue. The specific things I would fix in your HTML are: 1) No DocType, causing the page to render in Quirks mode. FYI, this will cause differences in the box model which will result in IE 6.0 and FireFox/Mozilla displaying pages very differently. 2) No Content type/charset meta in the header. 3) You have a duplicate HEAD block in the bottom of your page. Your reference to the cache-control entry: Cache-Control: max-age=0 Doesn't appear in my browser. I would suspect that its being added by your proxy server. X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 I would also say that if you're going to use the addHeader() to put in cache/pragma entries that you should not use the META tags. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Michael Andreas Omerou [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. Not that I'm all that interested, but just to push this along, what are the Cookie properties in FireFox after you request a page? Personally, I'm betting that FireFox is probably applying your cache-control/max-age headers to the Cookies as well as to the page itself. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) Regarding Filip's email and monitoring HTTP Headers I am impressed that it seems to work for you. I run FireFox on Windows XP Pro SP2 and what happens is that when a page finishes loading, the session expires on the server. When the user/browser requests another page the correct session id is sent from the browser but the server detects that this session id sent is no more valid (expired) and so we have a timeout. However, this behaviour, only occurs with FireFox. I tried it from another PC with XP Pro SP2 too but the problem is the same. With IE, NetScape and Opera all is ok. I want to emphasize that this behaviour does not happen only when switching from SSL to non-SSL or vice versa. Even if I try to access pages such as the About Us or the Contact Us the session expires again. However, in that case the problem is not visible to the user since those pages do not contain any session specific data so even with a new session it is ok. Try the following though and you will see what I mean. On tophotelchoices.com do a search for a hotel. Let the results be displayed and then, go to the About Us page. Then, click your browser's back button and instead of going back to the search results you get a timeout (if you get search results it will be from browser's cache, do a reload and you will get timeout). Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 22:16 To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
This is really an old thing I read somewhere that IE might not respond to the top headers so the only way to force IE to work as you want it to (no caching) was to do this (put one more header at the end). Back at that time (IE 5 was used with 6 not being released yet) this solved me many problems so since then I use this trick it in my code whenever I do not want caching. Michael -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 04:42 To: 'Tomcat Users List'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Just out of curiousity, why do your pages have two HEAD blocks (one at the top, and one at the bottom of the page)? George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) Regarding Filip's email and monitoring HTTP Headers I am impressed that it seems to work for you. I run FireFox on Windows XP Pro SP2 and what happens is that when a page finishes loading, the session expires on the server. When the user/browser requests another page the correct session id is sent from the browser but the server detects that this session id sent is no more valid (expired) and so we have a timeout. However, this behaviour, only occurs with FireFox. I tried it from another PC with XP Pro SP2 too but the problem is the same. With IE, NetScape and Opera all is ok. I want to emphasize that this behaviour does not happen only when switching from SSL to non-SSL or vice versa. Even if I try to access pages such as the About Us or the Contact Us the session expires again. However, in that case the problem is not visible to the user since those pages do not contain any session specific data so even with a new session it is ok. Try the following though and you will see what I mean. On tophotelchoices.com do a search for a hotel. Let the results be displayed and then, go to the About Us page. Then, click your browser's back button and instead of going back to the search results you get a timeout (if you get search results it will be from browser's cache, do a reload and you will get timeout). Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Thanks for the suggestion Wade but I really did what you are saying and headers reach the server correctly. Michael -Original Message- From: Wade Chandler [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 05:16 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 22:16 To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. This is Firefox on Fedora 4. The site works fine. This must be a browser issue, can you tell us a little bit more about what version and platform your browser is on. 1. Request to the home - non secure http://www.tophotelchoices.com/ GET / HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.tophotelchoices.com/ HTTP/1.x 200 OK Date: Wed, 15 Feb 2006 20:08:55 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Set-Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF; Path=/ Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html;charset=UTF-8 2. Click on the request button - switch from HTTP to HTTPS https://www.tophotelchoices.com/bookingServlet1?hotel=ASI GET /bookingServlet1?hotel=ASI HTTP/1.1 Host: www.tophotelchoices.com:443 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
More or less this what I think as well! That Cache-control: max-age=0 is applied to cookies too. However the cookies in Firefox seem to have the correct expiration date. Michael -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: 17 February 2006 06:03 To: users@tomcat.apache.org Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) Michael Andreas Omerou [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. Not that I'm all that interested, but just to push this along, what are the Cookie properties in FireFox after you request a page? Personally, I'm betting that FireFox is probably applying your cache-control/max-age headers to the Cookies as well as to the page itself. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) Regarding Filip's email and monitoring HTTP Headers I am impressed that it seems to work for you. I run FireFox on Windows XP Pro SP2 and what happens is that when a page finishes loading, the session expires on the server. When the user/browser requests another page the correct session id is sent from the browser but the server detects that this session id sent is no more valid (expired) and so we have a timeout. However, this behaviour, only occurs with FireFox. I tried it from another PC with XP Pro SP2 too but the problem is the same. With IE, NetScape and Opera all is ok. I want to emphasize that this behaviour does not happen only when switching from SSL to non-SSL or vice versa. Even if I try to access pages such as the About Us or the Contact Us the session expires again. However, in that case the problem is not visible to the user since those pages do not contain any session specific data so even with a new session it is ok. Try the following though and you will see what I mean. On tophotelchoices.com do a search for a hotel. Let the results be displayed and then, go to the About Us page. Then, click your browser's back button and instead of going back to the search results you get a timeout (if you get search results it will be from browser's cache, do a reload and you will get timeout). Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for IE and LiveHttpHeaders for Firefox gives the following: 1) IE (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1 Accept:*/* Accept-Language:en-gb Accept-Encoding:gzip, deflate User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com Proxy-Connection:Keep-Alive Pragma:no-cache Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D (Status-Line):HTTP/1.0 200 OK Date:Thu, 16 Feb 2006 22:09:18 GMT Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT Content-Type:text/html;charset=UTF-8 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from proxy01.spidernet.net:83 Proxy-Connection:close 2) FIREFOX: GET http://www.tophotelchoices.com/index.jsp HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/pl ain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.tophotelchoices.com/timeout.jsp Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358 Cache-Control: max-age=0 HTTP/1.x 200 OK Date: Thu, 16 Feb 2006 22:12:27 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 Proxy-Connection: close Obviously, the response is the same in both cases, however, for FireFox the important difference I see in Request is the one saying Cache-control: max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive value is the problem, however, the Cache-Control: max-age=0 is suspicious. In my code I have response.setHeader(Cache-Control,no-cache) but I think this is different. Does anyone have a clue what the max-age:0 is doing? Your help will be greatly appreciated. Thanks and regards, Michael -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 22:16 To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Thanks for the suggestion George. I don't think is the proxy because IE and other browsers work with the same proxy so I don't see why FireFox should not. I will try your suggestion though and let you know the outcome. As far as other suggestions, no. 1 is particularly interesting and will try it, as well as no.2. For your third suggestion I explained to you why I am doing it. As far as the X-Cache: MISS, etc. these appear with IE as well but IE works so it can't be the problem. Michael -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 05:22 To: 'Tomcat Users List'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Since I regularly use Firefox and sessions I'm pretty sure that there is really nothing unique to that combination that is causing the problem. It could be the proxy server below is causing the issue. The obvious thing to do would be to try from a different network without a proxy server and see if your issue clears up. I would also recommend that you do a little cleanup on your HTML pages and see if there is some effect on the issue. The specific things I would fix in your HTML are: 1) No DocType, causing the page to render in Quirks mode. FYI, this will cause differences in the box model which will result in IE 6.0 and FireFox/Mozilla displaying pages very differently. 2) No Content type/charset meta in the header. 3) You have a duplicate HEAD block in the bottom of your page. Your reference to the cache-control entry: Cache-Control: max-age=0 Doesn't appear in my browser. I would suspect that its being added by your proxy server. X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 I would also say that if you're going to use the addHeader() to put in cache/pragma entries that you should not use the META tags. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Thanks for the suggestion George. I don't think is the proxy because IE and other browsers work with the same proxy so I don't see why FireFox should not. I will try your suggestion though and let you know the outcome. As far as other suggestions, no. 1 is particularly interesting and will try it, as well as no.2. For your third suggestion I explained to you why I am doing it. As far as the X-Cache: MISS, etc. these appear with IE as well but IE works so it can't be the problem. Michael -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: 17 February 2006 05:22 To: 'Tomcat Users List'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Since I regularly use Firefox and sessions I'm pretty sure that there is really nothing unique to that combination that is causing the problem. It could be the proxy server below is causing the issue. The obvious thing to do would be to try from a different network without a proxy server and see if your issue clears up. I would also recommend that you do a little cleanup on your HTML pages and see if there is some effect on the issue. The specific things I would fix in your HTML are: 1) No DocType, causing the page to render in Quirks mode. FYI, this will cause differences in the box model which will result in IE 6.0 and FireFox/Mozilla displaying pages very differently. 2) No Content type/charset meta in the header. 3) You have a duplicate HEAD block in the bottom of your page. Your reference to the cache-control entry: Cache-Control: max-age=0 Doesn't appear in my browser. I would suspect that its being added by your proxy server. X-Cache: MISS from proxy01.spidernet.net X-Cache-Lookup: MISS from proxy01.spidernet.net:83 I would also say that if you're going to use the addHeader() to put in cache/pragma entries that you should not use the META tags. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:38 PM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Dear all, Thanks for your replies to my problem. However, I think the discussion has been diverted into a debate totally irrelevant to the issue. As far as Chuck's question whether this could be related to the popup, this is not the case as the problem happens on other pages too, even on index.jsp (first page) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Are you using SSL connection ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ache.org]De la part de Michael Andreas Omerou Envoye : mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List' Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
In principle, one could try the below (a stand-alone jsp) which resides in my application with a timeout of 30 minutes: [EMAIL PROTECTED] import=java.util.Enumeration,java.util.Date contentType=text/html% [EMAIL PROTECTED] pageEncoding=UTF-8% html headtitleJSP Page/title/head body % Enumeration reqHeaderNames = request.getHeaderNames(); String curHeaderName; while (reqHeaderNames.hasMoreElements()){ curHeaderName=(String) reqHeaderNames.nextElement(); System.out.println(curHeaderName + : + request.getHeader(curHeaderName)); } System.out.println(TestFirefox.jsp Session ID Value: + request.getSession(false).getId()); % TEST FIREFOX LOADED /body /html The above creates a new session wheneven reloaded in Firefox while in IE it keeps the same. -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:34 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Not at the stage that this problem occurs. SSL is used further on when the user logs in to make a payment but the SSL pages are never reached with FireFox because of the early timeout. With IE all is ok, including SSL connections. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:43 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you using SSL connection ? -Message d'origine- De : [EMAIL PROTECTED] pache.org [mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@ tomcat.ap ache.org]De la part de Michael Andreas Omerou Envoye : mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List' Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox, it seems that the session is re-initialised whenever the client/browser requests a new page. I checked this by printing the session id in the log on each page and with IE it does not change, while with Firefox it changes. I checked my firefox settings for cookies and all look ok. Anybody has a clue of what I might be doing wrong? Regards, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
I tried with NetScape and Opera to see what happens. For NetScape the first time I tried it was ok up to the stage that I switched to SSL. At that step, I lost my session. After trying several times again I noticed NetScape was ok. With Opera all works fine, like with IE, from the beginning. So major problem is still FireFox and it must be something that it sends (or not sends) back to Tomcat that causes session expiration. Thanks for your assistance. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:48 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Not at the stage that this problem occurs. SSL is used further on when the user logs in to make a payment but the SSL pages are never reached with FireFox because of the early timeout. With IE all is ok, including SSL connections. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:43 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you using SSL connection ? -Message d'origine- De : [EMAIL PROTECTED] pache.org [mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@ tomcat.ap ache.org]De la part de Michael Andreas Omerou Envoye : mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List' Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 11:27 To: users@tomcat.apache.org Subject: Session Problems with Firefox Hello, I have some problems with session management when our application runsin Firefox. Basically, what happens is that after I set in the session some attributes/beans which are needed down the application, I check in all JSPs and servlets that an old session is still there by using if (request.getSession(false)==null){ response.sendRedirect(response.encodeRedirectURL(timeout.jsp)); } With IE all works fine, however with Firefox
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
As the problem occurs with a live site, you can see it yourself at www.tophotelchoices.com. Do a search for any hotel. You will see the results. By the time the results page is loaded your session has expired but you do not know. Click on the Book or Request button of any hotel and you will see the Timeout page. Remember that the above only happens with FireFox. I will greatly appreciate your help. -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 19:45 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) I tried with NetScape and Opera to see what happens. For NetScape the first time I tried it was ok up to the stage that I switched to SSL. At that step, I lost my session. After trying several times again I noticed NetScape was ok. With Opera all works fine, like with IE, from the beginning. So major problem is still FireFox and it must be something that it sends (or not sends) back to Tomcat that causes session expiration. Thanks for your assistance. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:48 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Not at the stage that this problem occurs. SSL is used further on when the user logs in to make a payment but the SSL pages are never reached with FireFox because of the early timeout. With IE all is ok, including SSL connections. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:43 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you using SSL connection ? -Message d'origine- De : [EMAIL PROTECTED] pache.org [mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@ tomcat.ap ache.org]De la part de Michael Andreas Omerou Envoye : mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List' Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some code to check the HTTP headers in each case (IE and FireFox). These are: IE accept: */* accept-language: en-gb accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) host: localhost connection: Keep-Alive cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320 FireFox host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q= 0.8,image/png,*/*;q=0.5 accept-language: en-gb,en;q=0.5 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 300 connection: keep-alive cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6 cache-control: max-age=0 I wonder whether the keep-alive which exists in the case of FireFox but not in the case of IE could be the cause of my problems
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
You do realize that sessions don't carry over between SSL and non-SSL request don't you? You can't have a session ID that carries over from a non-ssl session to an SSL session because that session ID is compromised (it has been exposed) as plain text. As an aside, I looked at your form. You should really use HttpServletRequest.getLocale() to pick up your user's locale and then provide date formatting for the user locale. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 11:03 AM To: 'Tomcat Users List'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) As the problem occurs with a live site, you can see it yourself at www.tophotelchoices.com. Do a search for any hotel. You will see the results. By the time the results page is loaded your session has expired but you do not know. Click on the Book or Request button of any hotel and you will see the Timeout page. Remember that the above only happens with FireFox. I will greatly appreciate your help. -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 19:45 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) I tried with NetScape and Opera to see what happens. For NetScape the first time I tried it was ok up to the stage that I switched to SSL. At that step, I lost my session. After trying several times again I noticed NetScape was ok. With Opera all works fine, like with IE, from the beginning. So major problem is still FireFox and it must be something that it sends (or not sends) back to Tomcat that causes session expiration. Thanks for your assistance. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:48 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Not at the stage that this problem occurs. SSL is used further on when the user logs in to make a payment but the SSL pages are never reached with FireFox because of the early timeout. With IE all is ok, including SSL connections. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:43 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you using SSL connection ? -Message d'origine- De : [EMAIL PROTECTED] pache.org [mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@ tomcat.ap ache.org]De la part de Michael Andreas Omerou Envoye : mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List' Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I remove them nothing changes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:10 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you blocking cookies at the browser? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:06 AM To: 'Tomcat Users List' Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox) Anybody has an idea what could be causing what I describe in the below two emails? -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 13:10 To: 'Tomcat Users List' Subject: RE: Session Problems with Firefox Further to my below email I have put in some
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) As the problem occurs with a live site, you can see it yourself at www.tophotelchoices.com. (OT: A bit depressing to see a Holiday Inn at Aylesbury - I used to live just down the road from there in the 1950s.) I noticed that a secondary window opened during the search; is it possible that with Firefox the session is being associated only with this secondary window? Can you use Ethereal or something similar to see which requests/responses contain the desired session id? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
In my shopping cart application, I create a cart with a unique (random) id and track the request type (secure/non-secure). If they invoke the program from an SSL request, and the previous request was non-SSL then I create a new cart with a new unique ID, copy the information from the insecure cart, and then delete the old cart. If someone tries to come back with the old cart id, then that cart just doesn't exist and they get a new cart. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Joey Geiger [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 11:50 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) You do realize that sessions don't carry over between SSL and non-SSL request don't you? What is the proper/best way to go about this then, since I will be facing a similar situation in the near future? (Shopping cart bean, customer bean saved in the session.) Thanks. -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 12:17 PM To: 'Tomcat Users List'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) You do realize that sessions don't carry over between SSL and non-SSL request don't you? You can't have a session ID that carries over from a non-ssl session to an SSL session because that session ID is compromised (it has been exposed) as plain text. As an aside, I looked at your form. You should really use HttpServletRequest.getLocale() to pick up your user's locale and then provide date formatting for the user locale. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
sessions started in non-ssl mode should carry over to SSL, but not the other way around. Filip Joey Geiger wrote: You do realize that sessions don't carry over between SSL and non-SSL request don't you? What is the proper/best way to go about this then, since I will be facing a similar situation in the near future? (Shopping cart bean, customer bean saved in the session.) Thanks. -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 12:17 PM To: 'Tomcat Users List'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) You do realize that sessions don't carry over between SSL and non-SSL request don't you? You can't have a session ID that carries over from a non-ssl session to an SSL session because that session ID is compromised (it has been exposed) as plain text. As an aside, I looked at your form. You should really use HttpServletRequest.getLocale() to pick up your user's locale and then provide date formatting for the user locale. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 11:03 AM To: 'Tomcat Users List'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) As the problem occurs with a live site, you can see it yourself at www.tophotelchoices.com. Do a search for any hotel. You will see the results. By the time the results page is loaded your session has expired but you do not know. Click on the Book or Request button of any hotel and you will see the Timeout page. Remember that the above only happens with FireFox. I will greatly appreciate your help. -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 19:45 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) I tried with NetScape and Opera to see what happens. For NetScape the first time I tried it was ok up to the stage that I switched to SSL. At that step, I lost my session. After trying several times again I noticed NetScape was ok. With Opera all works fine, like with IE, from the beginning. So major problem is still FireFox and it must be something that it sends (or not sends) back to Tomcat that causes session expiration. Thanks for your assistance. Michael -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:48 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Not at the stage that this problem occurs. SSL is used further on when the user logs in to make a payment but the SSL pages are never reached with FireFox because of the early timeout. With IE all is ok, including SSL connections. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:43 To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Are you using SSL connection ? -Message d'origine- De : [EMAIL PROTECTED] pache.org [mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@ tomcat.ap ache.org]De la part de Michael Andreas Omerou Envoye : mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List' Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) It is 30 minutes. If I do request.getSession().getMaxInactiveInterval() I get 1800 (seconds I guess) which is the correct value for 30 minutes. Michael -Original Message- From: Earnie Dyke [mailto:[EMAIL PROTECTED] Sent: 15 February 2006 17:25 To: Tomcat Users List Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) The META tags should not have an effect on cookies. Firefox would not be the one that expires your session, Tomcat would. Do you have a session timeout specified in your application? Earnie! -Original Message- From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 10:19 AM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Hi Earnie, Cookies are allowed at the browser. It seems for some reason that at then end of loading each JSP firefox expires my session. I use some meta tags (META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires CONTENT=-1) and also set the corresponding header values using response.setHeader but even if I
Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. This is Firefox on Fedora 4. The site works fine. This must be a browser issue, can you tell us a little bit more about what version and platform your browser is on. 1. Request to the home - non secure http://www.tophotelchoices.com/ GET / HTTP/1.1 Host: www.tophotelchoices.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.tophotelchoices.com/ HTTP/1.x 200 OK Date: Wed, 15 Feb 2006 20:08:55 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Set-Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF; Path=/ Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html;charset=UTF-8 2. Click on the request button - switch from HTTP to HTTPS https://www.tophotelchoices.com/bookingServlet1?hotel=ASI GET /bookingServlet1?hotel=ASI HTTP/1.1 Host: www.tophotelchoices.com:443 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.tophotelchoices.com/searchResults.jsp Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF HTTP/1.x 200 OK Date: Wed, 15 Feb 2006 20:11:54 GMT Server: Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control: no-cache Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html;charset=UTF-8 George Sexton wrote: Does the code transparently create a new JSessionID value then? George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 12:48 PM To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) sessions started in non-ssl mode should carry over to SSL, but not the other way around. Filip - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
-Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 1:16 PM To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. And this is an incredibly major trap that lies waiting for every application developer that uses sessions. You see, I have given a great deal of thought about sessions and what should happen when a connection transitions to secure, or from secure to non-secure. Let's take a simple shopping cart app. User Adam visit a site on a non-secure connection and receives a session. He shops and puts something in his cart. Mallory (crypto speak for the person in the middle) monitors Adam's network stream and picks up the jsessionid from the data stream. Adam then goes to the check out screen and starts entering checkout data (name, address, and credit card information). To give ourselves a window, assume that Adam then continues shopping or is just slow, or the credit card processing procedure takes time... Mallory can forge a request using the JSessionID, and go to the checkout pages. Since Mallory has the same session, all of the information entered by Adam is now visible. This is the flaw. This is why sessions should not transition from non-secure to secure, or if they do transition a new ID should be generated and the old session ID invalidated. The session ID is a key into the data store and if the session key has been exposed to the public, then no confidential data should be accessed using that session key. I think this should be submitted as a bug. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
An even simpler case: Adam visits a banking site. On entering the site he gets a cookie. Mallory snoops the session ID on the data stream. Adam then authenticates to read his account information. The application sets a session attribute (say a bean with the account name and number) on the session. Mallory now enters the secure area of the banking site using the forged session ID. Poof. Mallory is logged in as Adam. Poof. Adam is had and his data is there to be stolen, or wire transferred to another account. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 2:09 PM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 1:16 PM To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. And this is an incredibly major trap that lies waiting for every application developer that uses sessions. You see, I have given a great deal of thought about sessions and what should happen when a connection transitions to secure, or from secure to non-secure. Let's take a simple shopping cart app. User Adam visit a site on a non-secure connection and receives a session. He shops and puts something in his cart. Mallory (crypto speak for the person in the middle) monitors Adam's network stream and picks up the jsessionid from the data stream. Adam then goes to the check out screen and starts entering checkout data (name, address, and credit card information). To give ourselves a window, assume that Adam then continues shopping or is just slow, or the credit card processing procedure takes time... Mallory can forge a request using the JSessionID, and go to the checkout pages. Since Mallory has the same session, all of the information entered by Adam is now visible. This is the flaw. This is why sessions should not transition from non-secure to secure, or if they do transition a new ID should be generated and the old session ID invalidated. The session ID is a key into the data store and if the session key has been exposed to the public, then no confidential data should be accessed using that session key. I think this should be submitted as a bug. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Adam and Mallory have to stop shopping! =) this debate has been going on for years, you just caught onto to it now, and I was in it last time, don't plan on participating again. Have fun with it though!! Filip George Sexton wrote: An even simpler case: Adam visits a banking site. On entering the site he gets a cookie. Mallory snoops the session ID on the data stream. Adam then authenticates to read his account information. The application sets a session attribute (say a bean with the account name and number) on the session. Mallory now enters the secure area of the banking site using the forged session ID. Poof. Mallory is logged in as Adam. Poof. Adam is had and his data is there to be stolen, or wire transferred to another account. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 2:09 PM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 1:16 PM To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. And this is an incredibly major trap that lies waiting for every application developer that uses sessions. You see, I have given a great deal of thought about sessions and what should happen when a connection transitions to secure, or from secure to non-secure. Let's take a simple shopping cart app. User Adam visit a site on a non-secure connection and receives a session. He shops and puts something in his cart. Mallory (crypto speak for the person in the middle) monitors Adam's network stream and picks up the jsessionid from the data stream. Adam then goes to the check out screen and starts entering checkout data (name, address, and credit card information). To give ourselves a window, assume that Adam then continues shopping or is just slow, or the credit card processing procedure takes time... Mallory can forge a request using the JSessionID, and go to the checkout pages. Since Mallory has the same session, all of the information entered by Adam is now visible. This is the flaw. This is why sessions should not transition from non-secure to secure, or if they do transition a new ID should be generated and the old session ID invalidated. The session ID is a key into the data store and if the session key has been exposed to the public, then no confidential data should be accessed using that session key. I think this should be submitted as a bug. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Oddly enough, the banks don't even care about this. US Bank, for example, claims their login on the front page is secure and has you enter your account data into a non https form. After the browser sends the information, it then redirects to a secure(https) link. I wrote them about this, and their response was, we know it's not secure, but we'll compensate you for any losses you may have... Crazy. -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 3:16 PM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) An even simpler case: Adam visits a banking site. On entering the site he gets a cookie. Mallory snoops the session ID on the data stream. Adam then authenticates to read his account information. The application sets a session attribute (say a bean with the account name and number) on the session. Mallory now enters the secure area of the banking site using the forged session ID. Poof. Mallory is logged in as Adam. Poof. Adam is had and his data is there to be stolen, or wire transferred to another account. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 2:09 PM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 1:16 PM To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) George Sexton wrote: Does the code transparently create a new JSessionID value then? George, you might wanna rethink your comments, they don't shine any light on the issue and they for sure don't state any facts, let me prove you I am right. Below is the headers I tracked with LiveHttpHeaders, as you can see, JSESSIONID remains exactly the same in the browser request when the switch from HTTP to HTTPS happens. And this is an incredibly major trap that lies waiting for every application developer that uses sessions. You see, I have given a great deal of thought about sessions and what should happen when a connection transitions to secure, or from secure to non-secure. Let's take a simple shopping cart app. User Adam visit a site on a non-secure connection and receives a session. He shops and puts something in his cart. Mallory (crypto speak for the person in the middle) monitors Adam's network stream and picks up the jsessionid from the data stream. Adam then goes to the check out screen and starts entering checkout data (name, address, and credit card information). To give ourselves a window, assume that Adam then continues shopping or is just slow, or the credit card processing procedure takes time... Mallory can forge a request using the JSessionID, and go to the checkout pages. Since Mallory has the same session, all of the information entered by Adam is now visible. This is the flaw. This is why sessions should not transition from non-secure to secure, or if they do transition a new ID should be generated and the old session ID invalidated. The session ID is a key into the data store and if the session key has been exposed to the public, then no confidential data should be accessed using that session key. I think this should be submitted as a bug. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
-Original Message- From: Joey Geiger [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 2:27 PM To: 'Tomcat Users List' Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox) Oddly enough, the banks don't even care about this. US Bank, for example, claims their login on the front page is secure and has you enter your account data into a non https form. After the browser sends the information, it then redirects to a secure(https) link. I wrote them about this, and their response was, we know it's not secure, but we'll compensate you for any losses you may have... Crazy. Scary. That's my bank. But then, I don't trust people enough to do online banking. I bet their shareholders would be really excited to know about their technical proficiency and offer to re-imburse you for losses George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
I've been developing with Tomcat for years, and I never really know about this issue. I'd have to say that it must not be a widely known issue. Perhaps since the security picture has changed over the past couple of years its time to revisit this issue. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 2:24 PM To: Tomcat Users List Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) Adam and Mallory have to stop shopping! =) this debate has been going on for years, you just caught onto to it now, and I was in it last time, don't plan on participating again. Have fun with it though!! Filip George Sexton wrote: An even simpler case: Adam visits a banking site. On entering the site he gets a cookie. Mallory snoops the session ID on the data stream. Adam then authenticates to read his account information. The application sets a session attribute (say a bean with the account name and number) on the session. Mallory now enters the secure area of the banking site using the forged session ID. Poof. Mallory is logged in as Adam. Poof. Adam is had and his data is there to be stolen, or wire transferred to another account. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]