Re: 6.0.24 SSL Session always New
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Iain, On 2/19/2010 1:45 PM, iainmac wrote: >> 1. When do you set the "userName" attribute in the session? >> On validation of the user. Do you mean "identification" or the user (that is, somehow they enter their username without attempting to authenticate)? >> 2. When does authentication occur? How? Container-based, or your own? >> I so also have container based as well as my own. Uh... you are authenticating twice? Why? >> 3. When does the session appear to be reset? >> It's clear whats happenign - just not sure why: >> 1. From logon screen a new session is created, against that the username and >> other attributes are stored. >> 2. After the logn screen does this it then redirects to the actual page I >> need. >> 3. This page is made up of a parent frame and 2 sub-frames. >> 4. The parent frame (the named page that the redirect is to) does that check >> above i.e. tries to get the Username from the session object- This works >> successfully. This page begins to load. >> 5. The first sub-frame begins to lad, tries the same check - in MSIE (and in >> Tomcat 5.0.28 other browers too) we are given the same validated session, so >> all works fine. In other browsers with 6.0.24 a new session is given, and >> so I am again redirected to the logon page! In a loop! Same this happens >> with second sub frame. ...and you're sure this only happens with 6.0.24 (and not 6.0.20, etc.) and only with non-MSIE browsers? Have you tried a packet-capture to see what the differences in the requests are from each browser? That may help a lot to see if MSIE itself is behaving differently. I would bet that you have, somewhere in your frames, a URL with a missing ;jsessionid appended to it, though it would only be a problem if cookies were disabled in the browser or for the webapp. Are either of these the case? > As a work around I have simply rewritten my pages not to use frames, all > works fine. I do wish new versions would keep default behaviour or make it > clear the default behaviour has changed. You /are/ upgrading to a version of Tomcat that is /two/ major versions beyond what you already had... there are likely to be some changes. Did you read the changelogs for: 5.0.28 -> 5.0.[latest], 5.0.[latest] -> 5.5.[latest], and 5.5.[latest] -> 6.0.24? If you think you've uncovered a bug, please write-up the simplest test case that you can get to work and file it: Tomcat only gets better when this community takes the initiative to make it so. > I think its related to the session hijacking mentioned in the other > reply, but i didn't understand all on the linked page. Basically, when the user is authenticated, the session is re-created. I haven't checked, but I would imagine that all the session data from the old session would be copied into the new session, so you shouldn't "lose" data. My bet is on an application bug, given that: 1. You are using frames 2. You are using your own hand-rolled authentication - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuBXfMACgkQ9CaO5/Lv0PA3jQCgm48ClN4SvmfByjBqRv8Ar10E e8sAoL46S8Tx/NgeK676xgoIhjYMcpGa =Bi0j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
iainmac wrote: 3. This page is made up of a parent frame and 2 sub-frames. 4. The parent frame (the named page that the redirect is to) does that check above i.e. tries to get the Username from the session object- This works successfully. This page begins to load. 5. The first sub-frame begins to lad, tries the same check - in MSIE (and in Tomcat 5.0.28 other browers too) we are given the same validated session, so all works fine. In other browsers with 6.0.24 a new session is given, and so I am again redirected to the logon page! In a loop! Same this happens with second sub frame. As a work around I have simply rewritten my pages not to use frames, all works fine. I believe that what you indicate above is the core of the issue. It has nothing to do with Tomcat, it has to do with the logic of what you are doing, and the way different browsers handle separate windows (or frames, which are separate windows). I'll try to give an example : Suppose that the first document you request from the server is a frame document, with 2 frames. The frame document itself is not submitted to authentication by the server. So it loads in the browser without problems. While loading this frame document, the browser notices that it is a frame document, and that there are 2 links in it to load the individual frames. So the browser creates 2 new windows (the frames) and issues 2 new requests (one per frame), to fill these windows. Any or all of these individual frame URLs is set up on the server as requiring authentication. So now look at it from the server side. It receives 2 separate (and almost simultaneous) requests for different URLs, each one submitted to authentication. The server has no idea that these requests come from the same browser, and each one is handled separately, as if they came from 2 different workstations even. (So basically, each request may be handled by a different thread or child of the webserver). At this point, none of these requests contains any authentication headers, because the browser has not done any authentication yet. So basically, the server is going to answer each one of them, individually, by sending the login page. And so on. The above may not be exactly what happens in your case. But I hope it is sufficient to give you an idea of what to look for. The symptoms are going to vary depending on how each browser exactly issues the different requests to the webserver (in the same connection or not e.g.), how it handles windows, frames, tabs, iframes etc.., the load on your server, how users get to this first page and so on. In other words, practical recommendation : do not have the first page of your website be a frame document requiring authentication. This would create problems with any webserver, not just with Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
Hi yes you are right, but I add it when I get a new validated session, so it should be there, in effect for my code, it's he same thing. This worked fine for all browsers with 5.0.28, stopped working for all but MSIE from 6.0.20. I think its a change as mentioned by the other kind respondent, although if anyone knows why its not consistent across all browsers please let me know. Thanks. awarnier wrote: > > iainmac wrote: >> Hi, >> >> I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. >> >> I have a web application that checks for a current session, and if there >> isn't one it sends the user to a login screen. This is working fine from >> Explorer as it did before in the previous version of Tomcat, but it keeps >> saying the session is new in Firefox, Safari and Chrome. >> >> In the jsp, this keeps taking me back to the login screen... >> >> if (session.getAttribute("userName")==null){ >> response.sendRedirect("login.jsp"); >> return; >> } >> >> Why would Explorer work and the others not? >> > Hi. > I am being a bit adventurous here considering my knowledge of Java and > JSP, but it seems to me that the test above does not really check > whether there is or not a session; it checks whether the attribute > "userName" of the session is defined. That may be a different thing. > > Other than that, assuming the above is correct, and assuming that the > server side is always the same, and only the browser changes,.. > - settings different in the different browsers ? (like IE allows > cookies, the other ones not ?) > - you are within a Windows network, and some Windows authentication > mechanism plays a role when you use IE, and not when you use the other > browsers ? > > You should probably provide more information about your setup, to allow > people here to make more informed guesses. Like > - under what OS is Tomcat running ? > - what kind of authentication does your webapp use ? (WEB-INF/web.xml) > - are you accessing Tomcat directly, or through another webserver and a > connector ? > - the settings of your SSL connector ? (passwords etc. removed) > - what do the logs say ? > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658632.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
Thanks I think it must be something to do with that. Eric Lenio-5 wrote: > > On Fri, Feb 19, 2010 at 12:02:18PM +, iainmac wrote: >> >> Hi, >> >> I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. >> >> I have a web application that checks for a current session, and if there >> isn't one it sends the user to a login screen. This is working fine from >> Explorer as it did before in the previous version of Tomcat, but it keeps >> saying the session is new in Firefox, Safari and Chrome. >> >> In the jsp, this keeps taking me back to the login screen... >> >> if (session.getAttribute("userName")==null){ >> response.sendRedirect("login.jsp"); >> return; >> } >> >> Why would Explorer work and the others not? >> >> Thanks, >> >> Iain > > You might want to review new protection Tomcat has against session > fixation, which was done in 6.0.21. > > http://issues.apache.org/bugzilla/show_bug.cgi?id=45255 > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658593.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Iain, > > On 2/19/2010 7:02 AM, iainmac wrote: >> I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. >> >> I have a web application that checks for a current session, and if there >> isn't one it sends the user to a login screen. This is working fine from >> Explorer as it did before in the previous version of Tomcat, but it keeps >> saying the session is new in Firefox, Safari and Chrome. >> >> In the jsp, this keeps taking me back to the login screen... >> >> if (session.getAttribute("userName")==null){ >> response.sendRedirect("login.jsp"); >> return; >> } > > You might want to provide more information, such as: > --- 1. When do you set the "userName" attribute in the session? On validation of the user. 2. When does authentication occur? How? Container-based, or your own? I so also have container based as well as my own. 3. When does the session appear to be reset? It's clear whats happenign - just not sure why: 1. From logon screen a new session is created, against that the username and other attributes are stored. 2. After the logn screen does this it then redirects to the actual page I need. 3. This page is made up of a parent frame and 2 sub-frames. 4. The parent frame (the named page that the redirect is to) does that check above i.e. tries to get the Username from the session object- This works successfully. This page begins to load. 5. The first sub-frame begins to lad, tries the same check - in MSIE (and in Tomcat 5.0.28 other browers too) we are given the same validated session, so all works fine. In other browsers with 6.0.24 a new session is given, and so I am again redirected to the logon page! In a loop! Same this happens with second sub frame. As a work around I have simply rewritten my pages not to use frames, all works fine. I do wish new versions would keep default behaviour or make it clear the default behaviour has changed. I think its related to the session hijacking mentioned in the other reply, but i didn't understand all on the linked page. --- Christopher Schultz-2 wrote: > > I'm surprised this is working any differently in MSIE than other > browsers. Are you using any kind of javascript to drive this behavior? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkt+rlIACgkQ9CaO5/Lv0PA0GwCfYs+5Cgte9Y3dW+Xo8gEwWUcj > 4mIAoKNEastlN4BmGe9pBUWrq/uxwSqG > =pfbY > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658575.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Iain, On 2/19/2010 7:02 AM, iainmac wrote: > I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. > > I have a web application that checks for a current session, and if there > isn't one it sends the user to a login screen. This is working fine from > Explorer as it did before in the previous version of Tomcat, but it keeps > saying the session is new in Firefox, Safari and Chrome. > > In the jsp, this keeps taking me back to the login screen... > > if (session.getAttribute("userName")==null){ > response.sendRedirect("login.jsp"); > return; > } You might want to provide more information, such as: 1. When do you set the "userName" attribute in the session? 2. When does authentication occur? How? Container-based, or your own? 3. When does the session appear to be reset? I'm surprised this is working any differently in MSIE than other browsers. Are you using any kind of javascript to drive this behavior? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt+rlIACgkQ9CaO5/Lv0PA0GwCfYs+5Cgte9Y3dW+Xo8gEwWUcj 4mIAoKNEastlN4BmGe9pBUWrq/uxwSqG =pfbY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
On Fri, Feb 19, 2010 at 12:02:18PM +, iainmac wrote: > > Hi, > > I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. > > I have a web application that checks for a current session, and if there > isn't one it sends the user to a login screen. This is working fine from > Explorer as it did before in the previous version of Tomcat, but it keeps > saying the session is new in Firefox, Safari and Chrome. > > In the jsp, this keeps taking me back to the login screen... > > if (session.getAttribute("userName")==null){ > response.sendRedirect("login.jsp"); > return; > } > > Why would Explorer work and the others not? > > Thanks, > > Iain You might want to review new protection Tomcat has against session fixation, which was done in 6.0.21. http://issues.apache.org/bugzilla/show_bug.cgi?id=45255 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
iainmac wrote: Hi, I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. I have a web application that checks for a current session, and if there isn't one it sends the user to a login screen. This is working fine from Explorer as it did before in the previous version of Tomcat, but it keeps saying the session is new in Firefox, Safari and Chrome. In the jsp, this keeps taking me back to the login screen... if (session.getAttribute("userName")==null){ response.sendRedirect("login.jsp"); return; } Why would Explorer work and the others not? Hi. I am being a bit adventurous here considering my knowledge of Java and JSP, but it seems to me that the test above does not really check whether there is or not a session; it checks whether the attribute "userName" of the session is defined. That may be a different thing. Other than that, assuming the above is correct, and assuming that the server side is always the same, and only the browser changes,.. - settings different in the different browsers ? (like IE allows cookies, the other ones not ?) - you are within a Windows network, and some Windows authentication mechanism plays a role when you use IE, and not when you use the other browsers ? You should probably provide more information about your setup, to allow people here to make more informed guesses. Like - under what OS is Tomcat running ? - what kind of authentication does your webapp use ? (WEB-INF/web.xml) - are you accessing Tomcat directly, or through another webserver and a connector ? - the settings of your SSL connector ? (passwords etc. removed) - what do the logs say ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org