RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

Hi Guys,

First of all thanks for your assistance so far.  I played a lot trying to
remove the response.setHeader() and leaving meta tags only in my code, then,
removing meta-tags and leaving response.setHeader(), I tried all possible
combinations of meta tags,etc. 

What I ended up and thought of letting you know is that the problem was
caused by using response.setHeader().  By removing these statement and
leaving the relevant Cache-control, Expires and Pragma meta-tags in the
code, all works fine.

It is indeed very strange to notice this, it should not really make any
difference and cause problems to FireFox specifically.

Once more thanks for your support.

Michael
-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 17 February 2006 07:38
To: 'George Sexton'; 'Tomcat Users List'
Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED]
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Thanks for the suggestion George.

I don't think is the proxy because IE and other browsers work 
with the same proxy so I don't see why FireFox should not.  I 
will try your suggestion though and let you know the outcome.

As far as other suggestions, no. 1 is particularly interesting 
and will try it, as well as no.2.  For your third suggestion I 
explained to you why I am doing it.

As far as the X-Cache: MISS, etc. these appear with IE as well 
but IE works so it can't be the problem.

Michael

-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED]
Sent: 17 February 2006 05:22
To: 'Tomcat Users List'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED]
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Since I regularly use Firefox and sessions I'm pretty sure that there 
is really nothing unique to that combination that is causing the 
problem. It could be the proxy server below is causing the issue. The 
obvious thing to do would be to try from a different network 
without a 
proxy server and see if your issue clears up.

I would also recommend that you do a little cleanup on your 
HTML pages 
and see if there is some effect on the issue. The specific things I 
would fix in your HTML are:

1)No DocType, causing the page to render in Quirks mode. FYI, this
will cause differences in the box model which will result in 
IE 6.0 and 
FireFox/Mozilla displaying pages very differently.

2)No Content type/charset meta in the header.

3)You have a duplicate HEAD block in the bottom of your page.

Your reference to the cache-control entry:


 Cache-Control: max-age=0

Doesn't appear in my browser. I would suspect that its being added by 
your proxy server.

 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83

I would also say that if you're going to use the addHeader() 
to put in 
cache/pragma entries that you should not use the META tags.





George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: Thursday, February 16, 2006 3:38 PM
 To: 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Dear all,
 
 Thanks for your replies to my problem.  However, I think the 
 discussion has been diverted into a debate totally
irrelevant to the
 issue.
 
 As far as Chuck's question whether this could be related to
the popup,
 this is not the case as the problem happens on other pages 
too, even 
 on index.jsp (first page)



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Filip Hanik - Dev Lists]

Hi Michael, use LiveHttpHeaders to track all requests until you get your 
session expired.
Then post the log from that here. You only posted one request, how can a 
session expire for one request :) - it can't


Filip


Michael Andreas Omerou wrote:

Dear all,

Thanks for your replies to my problem.  However, I think the discussion has
been diverted into a debate totally irrelevant to the issue.

As far as Chuck's question whether this could be related to the popup, this
is not the case as the problem happens on other pages too, even on index.jsp
(first page)

Regarding Filip's email and monitoring HTTP Headers I am impressed that it
seems to work for you.  I run FireFox on Windows XP Pro SP2 and what happens
is that when a page finishes loading, the session expires on the server.
When the user/browser requests another page the correct session id is sent
from the browser but the server detects that this session id sent is no more
valid (expired) and so we have a timeout.  However, this behaviour, only
occurs with FireFox.   I tried it from another PC with XP Pro SP2 too but
the problem is the same.  With IE, NetScape and Opera all is ok. 

 


I want to emphasize that this behaviour does not happen only when switching
from SSL to non-SSL or vice versa.  Even if I try to access pages such as
the About Us or the Contact Us the session expires again.  However, in that
case the problem is not visible to the user since those pages do not
contain any session specific data so even with a new session it is ok.  Try
the following though and you will see what I mean.  On tophotelchoices.com
do a search for a hotel.  Let the results be displayed and then, go to the
About Us page.  Then, click your browser's back button and instead of going
back to the search results you get a timeout (if you get search results it
will be from browser's cache, do a reload and you will get timeout).

Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for
IE and LiveHttpHeaders for Firefox gives the following:
1) IE

(Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1
Accept:*/*
Accept-Language:en-gb
Accept-Encoding:gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; InfoPath.1)
Host:www.tophotelchoices.com
Proxy-Connection:Keep-Alive
Pragma:no-cache
Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D

(Status-Line):HTTP/1.0 200 OK
Date:Thu, 16 Feb 2006 22:09:18 GMT
Server:Apache/1.3.33 (Unix) mod_jk/1.2.15
Cache-Control:no-cache
Pragma:no-cache
Expires:Wed, 31 Dec 1969 23:59:59 GMT
Content-Type:text/html;charset=UTF-8
X-Cache:MISS from proxy01.spidernet.net
X-Cache-Lookup:MISS from proxy01.spidernet.net:83
Proxy-Connection:close

2) FIREFOX:
GET http://www.tophotelchoices.com/index.jsp HTTP/1.1
Host: www.tophotelchoices.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.tophotelchoices.com/timeout.jsp
Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358
Cache-Control: max-age=0

HTTP/1.x 200 OK
Date: Thu, 16 Feb 2006 22:12:27 GMT
Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
X-Cache: MISS from proxy01.spidernet.net
X-Cache-Lookup: MISS from proxy01.spidernet.net:83
Proxy-Connection: close

Obviously, the response is the same in both cases, however, for FireFox the
important difference I see in Request is the one saying Cache-control:
max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive
value is the problem, however, the Cache-Control: max-age=0 is suspicious.
In my code I have response.setHeader(Cache-Control,no-cache) but I think
this is different.  Does anyone have a clue what the max-age:0 is doing?

Your help will be greatly appreciated.


Thanks and regards,
Michael



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

Since less than 2% of the users out there now have IE 5.x, I would
personally drop this.

Even further, once you set a valid doctype you ought to think about running
your pages the the w3 validator

http://validator.w3.org/

Doing so can reduce the cases where your pages work differently in different
browsers.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, February 16, 2006 10:18 PM
 To: 'George Sexton'; 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 This is really an old thing I read somewhere that IE might 
 not respond to
 the top headers so the only way to force IE to work as you 
 want it to (no
 caching) was to do this (put one more header at the end).  
 Back at that time
 (IE 5 was used with 6 not being released yet) this solved me 
 many problems
 so since then I use this trick it in my code whenever I do 
 not want caching.
 
 Michael 
 
 -Original Message-
 From: George Sexton [mailto:[EMAIL PROTECTED] 
 Sent: 17 February 2006 04:42
 To: 'Tomcat Users List'; [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Just out of curiousity, why do your pages have two HEAD blocks 
 (one at the top, and one at the bottom of the page)?
 
 George Sexton
 MH Software, Inc.
 http://www.mhsoftware.com/
 Voice: 303 438 9585
   


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

And yet it would be so easy to test.

You seem to think that the presence of this header (and how it alters the
page results) will affect both browsers in the same way. Why do you think
this?

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 On Behalf Of BuyRentVillas.com Administrator
 Sent: Thursday, February 16, 2006 10:35 PM
 To: 'George Sexton'; 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Thanks for the suggestion George.
 
 I don't think is the proxy because IE and other browsers work 
 with the same
 proxy so I don't see why FireFox should not.  I will try your 
 suggestion
 though and let you know the outcome.
 
 As far as other suggestions, no. 1 is particularly 
 interesting and will try
 it, as well as no.2.  For your third suggestion I explained 
 to you why I am
 doing it.
 
 As far as the X-Cache: MISS, etc. these appear with IE as 
 well but IE works
 so it can't be the problem.
 
 Michael
 
 -Original Message-
 From: George Sexton [mailto:[EMAIL PROTECTED] 
 Sent: 17 February 2006 05:22
 To: 'Tomcat Users List'; [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Since I regularly use Firefox and sessions I'm pretty sure 
 that there is really nothing unique to that combination that 
 is causing the problem. It could be the proxy server below is 
 causing the issue. The obvious thing to do would be to try 
 from a different network without a proxy server and see if 
 your issue clears up.
 
 I would also recommend that you do a little cleanup on your 
 HTML pages and see if there is some effect on the issue. The 
 specific things I would fix in your HTML are:
 
 1)   No DocType, causing the page to render in Quirks mode. FYI, this
 will cause differences in the box model which will result in 
 IE 6.0 and FireFox/Mozilla displaying pages very differently.
 
 2)   No Content type/charset meta in the header.
 
 3)   You have a duplicate HEAD block in the bottom of your page.
 
 Your reference to the cache-control entry:
 
 
  Cache-Control: max-age=0
 
 Doesn't appear in my browser. I would suspect that its being 
 added by your proxy server.
 
  X-Cache: MISS from proxy01.spidernet.net
  X-Cache-Lookup: MISS from proxy01.spidernet.net:83
 
 I would also say that if you're going to use the addHeader() 
 to put in cache/pragma entries that you should not use the META tags.
 
 
 
 
 
 George Sexton
 MH Software, Inc.
 http://www.mhsoftware.com/
 Voice: 303 438 9585
   
 
  -Original Message-
  From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
  Sent: Thursday, February 16, 2006 3:38 PM
  To: 'Tomcat Users List'
  Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
  [EMAIL PROTECTED]
  Subject: RE: Session Expires At Every Request 
 (Tomcat5.0.28/Firefox)
  
  Dear all,
  
  Thanks for your replies to my problem.  However, I think the 
  discussion has been diverted into a debate totally 
 irrelevant to the 
  issue.
  
  As far as Chuck's question whether this could be related to 
 the popup, 
  this is not the case as the problem happens on other pages 
 too, even 
  on index.jsp (first page)
 
 
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

Dear all,

Thanks for your replies to my problem.  However, I think the discussion has
been diverted into a debate totally irrelevant to the issue.

As far as Chuck's question whether this could be related to the popup, this
is not the case as the problem happens on other pages too, even on index.jsp
(first page)

Regarding Filip's email and monitoring HTTP Headers I am impressed that it
seems to work for you.  I run FireFox on Windows XP Pro SP2 and what happens
is that when a page finishes loading, the session expires on the server.
When the user/browser requests another page the correct session id is sent
from the browser but the server detects that this session id sent is no more
valid (expired) and so we have a timeout.  However, this behaviour, only
occurs with FireFox.   I tried it from another PC with XP Pro SP2 too but
the problem is the same.  With IE, NetScape and Opera all is ok. 

 

I want to emphasize that this behaviour does not happen only when switching
from SSL to non-SSL or vice versa.  Even if I try to access pages such as
the About Us or the Contact Us the session expires again.  However, in that
case the problem is not visible to the user since those pages do not
contain any session specific data so even with a new session it is ok.  Try
the following though and you will see what I mean.  On tophotelchoices.com
do a search for a hotel.  Let the results be displayed and then, go to the
About Us page.  Then, click your browser's back button and instead of going
back to the search results you get a timeout (if you get search results it
will be from browser's cache, do a reload and you will get timeout).

Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for
IE and LiveHttpHeaders for Firefox gives the following:
1) IE

(Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1
Accept:*/*
Accept-Language:en-gb
Accept-Encoding:gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; InfoPath.1)
Host:www.tophotelchoices.com
Proxy-Connection:Keep-Alive
Pragma:no-cache
Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D

(Status-Line):HTTP/1.0 200 OK
Date:Thu, 16 Feb 2006 22:09:18 GMT
Server:Apache/1.3.33 (Unix) mod_jk/1.2.15
Cache-Control:no-cache
Pragma:no-cache
Expires:Wed, 31 Dec 1969 23:59:59 GMT
Content-Type:text/html;charset=UTF-8
X-Cache:MISS from proxy01.spidernet.net
X-Cache-Lookup:MISS from proxy01.spidernet.net:83
Proxy-Connection:close

2) FIREFOX:
GET http://www.tophotelchoices.com/index.jsp HTTP/1.1
Host: www.tophotelchoices.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.tophotelchoices.com/timeout.jsp
Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358
Cache-Control: max-age=0

HTTP/1.x 200 OK
Date: Thu, 16 Feb 2006 22:12:27 GMT
Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
X-Cache: MISS from proxy01.spidernet.net
X-Cache-Lookup: MISS from proxy01.spidernet.net:83
Proxy-Connection: close

Obviously, the response is the same in both cases, however, for FireFox the
important difference I see in Request is the one saying Cache-control:
max-age=0 and also, the Keep-Alive value 300. I do not think the Keep-Alive
value is the problem, however, the Cache-Control: max-age=0 is suspicious.
In my code I have response.setHeader(Cache-Control,no-cache) but I think
this is different.  Does anyone have a clue what the max-age:0 is doing?

Your help will be greatly appreciated.


Thanks and regards,
Michael

-Original Message-
From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 22:16
To: Tomcat Users List
Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

George Sexton wrote:
 Does the code transparently create a new JSessionID value then?

George,
you might wanna rethink your comments, they don't shine any 
light on the issue and they for sure don't state any facts, 
let me prove you I am right. Below is the headers I tracked 
with LiveHttpHeaders, as you can see, JSESSIONID remains 
exactly the same in the browser request when the switch from 
HTTP to HTTPS happens.
This is Firefox on Fedora 4. The site works fine.

This must be a browser issue, can you tell us a little bit 
more about what version and platform your browser is on.

1. Request to the home - non secure

http://www.tophotelchoices.com/
GET / HTTP/1.1
Host: www.tophotelchoices.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1)
Gecko/20060124 Firefox/1.5.0.1
Accept: 
text/xml,application

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

Just out of curiousity, why do your pages have two HEAD blocks (one at the
top, and one at the bottom of the page)?

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, February 16, 2006 3:38 PM
 To: 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Dear all,
 
 Thanks for your replies to my problem.  However, I think the 
 discussion has
 been diverted into a debate totally irrelevant to the issue.
 
 As far as Chuck's question whether this could be related to 
 the popup, this
 is not the case as the problem happens on other pages too, 
 even on index.jsp
 (first page)
 
 Regarding Filip's email and monitoring HTTP Headers I am 
 impressed that it
 seems to work for you.  I run FireFox on Windows XP Pro SP2 
 and what happens
 is that when a page finishes loading, the session expires on 
 the server.
 When the user/browser requests another page the correct 
 session id is sent
 from the browser but the server detects that this session id 
 sent is no more
 valid (expired) and so we have a timeout.  However, this 
 behaviour, only
 occurs with FireFox.   I tried it from another PC with XP Pro 
 SP2 too but
 the problem is the same.  With IE, NetScape and Opera all is ok. 
 
  
 
 I want to emphasize that this behaviour does not happen only 
 when switching
 from SSL to non-SSL or vice versa.  Even if I try to access 
 pages such as
 the About Us or the Contact Us the session expires again.  
 However, in that
 case the problem is not visible to the user since those pages do not
 contain any session specific data so even with a new session 
 it is ok.  Try
 the following though and you will see what I mean.  On 
 tophotelchoices.com
 do a search for a hotel.  Let the results be displayed and 
 then, go to the
 About Us page.  Then, click your browser's back button and 
 instead of going
 back to the search results you get a timeout (if you get 
 search results it
 will be from browser's cache, do a reload and you will get timeout).
 
 Monitoring the HTTP headers for both IE and Firefox using 
 HttpAnalyzer for
 IE and LiveHttpHeaders for Firefox gives the following:
 1) IE
 
 (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1
 Accept:*/*
 Accept-Language:en-gb
 Accept-Encoding:gzip, deflate
 User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
 SV1; .NET CLR
 1.1.4322; InfoPath.1)
 Host:www.tophotelchoices.com
 Proxy-Connection:Keep-Alive
 Pragma:no-cache
 Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D
 
 (Status-Line):HTTP/1.0 200 OK
 Date:Thu, 16 Feb 2006 22:09:18 GMT
 Server:Apache/1.3.33 (Unix) mod_jk/1.2.15
 Cache-Control:no-cache
 Pragma:no-cache
 Expires:Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type:text/html;charset=UTF-8
 X-Cache:MISS from proxy01.spidernet.net
 X-Cache-Lookup:MISS from proxy01.spidernet.net:83
 Proxy-Connection:close
 
 2) FIREFOX:
 GET http://www.tophotelchoices.com/index.jsp HTTP/1.1
 Host: www.tophotelchoices.com
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
 Gecko/20050919 Firefox/1.0.7
 Accept:
 text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
,text/plain;q=
 0.8,image/png,*/*;q=0.5
 Accept-Language: en-gb,en;q=0.5
 Accept-Encoding: gzip,deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 300
 Proxy-Connection: keep-alive
 Referer: http://www.tophotelchoices.com/timeout.jsp
 Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358
 Cache-Control: max-age=0
 
 HTTP/1.x 200 OK
 Date: Thu, 16 Feb 2006 22:12:27 GMT
 Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type: text/html;charset=UTF-8
 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83
 Proxy-Connection: close
 
 Obviously, the response is the same in both cases, however, 
 for FireFox the
 important difference I see in Request is the one saying Cache-control:
 max-age=0 and also, the Keep-Alive value 300. I do not think 
 the Keep-Alive
 value is the problem, however, the Cache-Control: max-age=0 
 is suspicious.
 In my code I have 
 response.setHeader(Cache-Control,no-cache) but I think
 this is different.  Does anyone have a clue what the 
 max-age:0 is doing?
 
 Your help will be greatly appreciated.
 
 
 Thanks and regards,
 Michael
 
 -Original Message-
 From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
 Sent: 15 February 2006 22:16
 To: Tomcat Users List
 Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 George Sexton wrote:
  Does the code transparently create a new JSessionID value then?
 
 George,
 you might wanna rethink your comments, they don't shine any 
 light on the issue and they for sure don't state any facts, 
 let me

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Wade Chandler]

  Monitoring the HTTP headers for both IE and
 Firefox using 
  HttpAnalyzer for
  IE and LiveHttpHeaders for Firefox gives the
 following:
  1) IE
  
  (Request-Line):GET http://www.tophotelchoices.com/
 HTTP/1.1
  Accept:*/*
  Accept-Language:en-gb
  Accept-Encoding:gzip, deflate
  User-Agent:Mozilla/4.0 (compatible; MSIE 6.0;
 Windows NT 5.1; 
  SV1; .NET CLR
  1.1.4322; InfoPath.1)
  Host:www.tophotelchoices.com
  Proxy-Connection:Keep-Alive
  Pragma:no-cache
  Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D
  
  (Status-Line):HTTP/1.0 200 OK
  Date:Thu, 16 Feb 2006 22:09:18 GMT
  Server:Apache/1.3.33 (Unix) mod_jk/1.2.15
  Cache-Control:no-cache
  Pragma:no-cache
  Expires:Wed, 31 Dec 1969 23:59:59 GMT
  Content-Type:text/html;charset=UTF-8
  X-Cache:MISS from proxy01.spidernet.net
  X-Cache-Lookup:MISS from proxy01.spidernet.net:83
  Proxy-Connection:close
  
  2) FIREFOX:
  GET http://www.tophotelchoices.com/index.jsp
 HTTP/1.1
  Host: www.tophotelchoices.com
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT
 5.1; en-GB; rv:1.7.12)
  Gecko/20050919 Firefox/1.0.7
  Accept:
 

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
 ,text/plain;q=
  0.8,image/png,*/*;q=0.5
  Accept-Language: en-gb,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Proxy-Connection: keep-alive
  Referer:
 http://www.tophotelchoices.com/timeout.jsp
  Cookie:
 JSESSIONID=3849A82D2F9B6991FE41073D771D1358
  Cache-Control: max-age=0
  
  HTTP/1.x 200 OK
  Date: Thu, 16 Feb 2006 22:12:27 GMT
  Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: Wed, 31 Dec 1969 23:59:59 GMT
  Content-Type: text/html;charset=UTF-8
  X-Cache: MISS from proxy01.spidernet.net
  X-Cache-Lookup: MISS from proxy01.spidernet.net:83
  Proxy-Connection: close
  
  Obviously, the response is the same in both cases,
 however, 
  for FireFox the
  important difference I see in Request is the one
 saying Cache-control:
  max-age=0 and also, the Keep-Alive value 300. I do
 not think 
  the Keep-Alive
  value is the problem, however, the Cache-Control:
 max-age=0 
  is suspicious.
  In my code I have 
  response.setHeader(Cache-Control,no-cache) but
 I think
  this is different.  Does anyone have a clue what
 the 
  max-age:0 is doing?
  
  Your help will be greatly appreciated.
  
  
  Thanks and regards,
  Michael
  
  -Original Message-
  From: Filip Hanik - Dev Lists
 [mailto:[EMAIL PROTECTED] 
  Sent: 15 February 2006 22:16
  To: Tomcat Users List
  Subject: Re: Session Expires At Every Request
 (Tomcat5.0.28/Firefox)
  
  George Sexton wrote:
   Does the code transparently create a new
 JSessionID value then?
  
  George,
  you might wanna rethink your comments, they don't
 shine any 
  light on the issue and they for sure don't state
 any facts, 
  let me prove you I am right. Below is the headers
 I tracked 
  with LiveHttpHeaders, as you can see, JSESSIONID
 remains 
  exactly the same in the browser request when the
 switch from 
  HTTP to HTTPS happens.
  This is Firefox on Fedora 4. The site works fine.
  
  This must be a browser issue, can you tell us a
 little bit 
  more about what version and platform your browser
 is on.
  
  1. Request to the home - non secure
 


  http://www.tophotelchoices.com/
  GET / HTTP/1.1
  Host: www.tophotelchoices.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686;
 en-US; rv:1.8.0.1)
  Gecko/20060124 Firefox/1.5.0.1
  Accept: 
 

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
  text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://www.tophotelchoices.com/
  
  HTTP/1.x 200 OK
  Date: Wed, 15 Feb 2006 20:08:55 GMT
  Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
  Set-Cookie:
 JSESSIONID=735009FD40D725EDAA14389409CD60FF; Path=/
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: Wed, 31 Dec 1969 23:59:59 GMT
  Keep-Alive: timeout=5, max=20
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html;charset=UTF-8
  
  2. Click on the request button - switch from HTTP
 to HTTPS 
 

https://www.tophotelchoices.com/bookingServlet1?hotel=ASI
  GET /bookingServlet1?hotel=ASI HTTP/1.1
  Host: www.tophotelchoices.com:443
  User-Agent: Mozilla/5.0 (X11; U; Linux i686;
 en-US; rv:1.8.0.1)
  Gecko/20060124 Firefox/1.5.0.1
  Accept: 
 

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
  text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer:
 http://www.tophotelchoices.com/searchResults.jsp
  Cookie:
 JSESSIONID=735009FD40D725EDAA14389409CD60FF
  
  HTTP/1.x 200 OK
  Date: Wed, 15 Feb

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

Since I regularly use Firefox and sessions I'm pretty sure that there is
really nothing unique to that combination that is causing the problem. It
could be the proxy server below is causing the issue. The obvious thing to
do would be to try from a different network without a proxy server and see
if your issue clears up.

I would also recommend that you do a little cleanup on your HTML pages and
see if there is some effect on the issue. The specific things I would fix in
your HTML are:

1)  No DocType, causing the page to render in Quirks mode. FYI, this
will cause differences in the box model which will result in IE 6.0 and
FireFox/Mozilla displaying pages very differently.

2)  No Content type/charset meta in the header.

3)  You have a duplicate HEAD block in the bottom of your page.

Your reference to the cache-control entry:


 Cache-Control: max-age=0

Doesn't appear in my browser. I would suspect that its being added by your
proxy server.

 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83

I would also say that if you're going to use the addHeader() to put in
cache/pragma entries that you should not use the META tags.





George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, February 16, 2006 3:38 PM
 To: 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Dear all,
 
 Thanks for your replies to my problem.  However, I think the 
 discussion has
 been diverted into a debate totally irrelevant to the issue.
 
 As far as Chuck's question whether this could be related to 
 the popup, this
 is not the case as the problem happens on other pages too, 
 even on index.jsp
 (first page)


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Bill Barker]

Michael Andreas Omerou [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 Dear all,

 Thanks for your replies to my problem.  However, I think the discussion 
 has
 been diverted into a debate totally irrelevant to the issue.


Not that I'm all that interested, but just to push this along, what are the 
Cookie properties in FireFox after you request a page?

Personally, I'm betting that FireFox is probably applying your 
cache-control/max-age headers to the Cookies as well as to the page itself.

 As far as Chuck's question whether this could be related to the popup, 
 this
 is not the case as the problem happens on other pages too, even on 
 index.jsp
 (first page)

 Regarding Filip's email and monitoring HTTP Headers I am impressed that it
 seems to work for you.  I run FireFox on Windows XP Pro SP2 and what 
 happens
 is that when a page finishes loading, the session expires on the server.
 When the user/browser requests another page the correct session id is sent
 from the browser but the server detects that this session id sent is no 
 more
 valid (expired) and so we have a timeout.  However, this behaviour, only
 occurs with FireFox.   I tried it from another PC with XP Pro SP2 too but
 the problem is the same.  With IE, NetScape and Opera all is ok.



 I want to emphasize that this behaviour does not happen only when 
 switching
 from SSL to non-SSL or vice versa.  Even if I try to access pages such as
 the About Us or the Contact Us the session expires again.  However, in 
 that
 case the problem is not visible to the user since those pages do not
 contain any session specific data so even with a new session it is ok. 
 Try
 the following though and you will see what I mean.  On tophotelchoices.com
 do a search for a hotel.  Let the results be displayed and then, go to the
 About Us page.  Then, click your browser's back button and instead of 
 going
 back to the search results you get a timeout (if you get search results it
 will be from browser's cache, do a reload and you will get timeout).

 Monitoring the HTTP headers for both IE and Firefox using HttpAnalyzer for
 IE and LiveHttpHeaders for Firefox gives the following:
 1) IE

 (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1
 Accept:*/*
 Accept-Language:en-gb
 Accept-Encoding:gzip, deflate
 User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
 CLR
 1.1.4322; InfoPath.1)
 Host:www.tophotelchoices.com
 Proxy-Connection:Keep-Alive
 Pragma:no-cache
 Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D

 (Status-Line):HTTP/1.0 200 OK
 Date:Thu, 16 Feb 2006 22:09:18 GMT
 Server:Apache/1.3.33 (Unix) mod_jk/1.2.15
 Cache-Control:no-cache
 Pragma:no-cache
 Expires:Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type:text/html;charset=UTF-8
 X-Cache:MISS from proxy01.spidernet.net
 X-Cache-Lookup:MISS from proxy01.spidernet.net:83
 Proxy-Connection:close

 2) FIREFOX:
 GET http://www.tophotelchoices.com/index.jsp HTTP/1.1
 Host: www.tophotelchoices.com
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
 Gecko/20050919 Firefox/1.0.7
 Accept:
 text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
 0.8,image/png,*/*;q=0.5
 Accept-Language: en-gb,en;q=0.5
 Accept-Encoding: gzip,deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 300
 Proxy-Connection: keep-alive
 Referer: http://www.tophotelchoices.com/timeout.jsp
 Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358
 Cache-Control: max-age=0

 HTTP/1.x 200 OK
 Date: Thu, 16 Feb 2006 22:12:27 GMT
 Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type: text/html;charset=UTF-8
 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83
 Proxy-Connection: close

 Obviously, the response is the same in both cases, however, for FireFox 
 the
 important difference I see in Request is the one saying Cache-control:
 max-age=0 and also, the Keep-Alive value 300. I do not think the 
 Keep-Alive
 value is the problem, however, the Cache-Control: max-age=0 is suspicious.
 In my code I have response.setHeader(Cache-Control,no-cache) but I 
 think
 this is different.  Does anyone have a clue what the max-age:0 is doing?

 Your help will be greatly appreciated.


 Thanks and regards,
 Michael

-Original Message-
From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 22:16
To: Tomcat Users List
Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

George Sexton wrote:
 Does the code transparently create a new JSessionID value then?

George,
you might wanna rethink your comments, they don't shine any
light on the issue and they for sure don't state any facts,
let me prove you I am right. Below is the headers I tracked
with LiveHttpHeaders, as you can see, JSESSIONID remains
exactly the same in the browser request when the switch from
HTTP to HTTPS happens

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

This is really an old thing I read somewhere that IE might not respond to
the top headers so the only way to force IE to work as you want it to (no
caching) was to do this (put one more header at the end).  Back at that time
(IE 5 was used with 6 not being released yet) this solved me many problems
so since then I use this trick it in my code whenever I do not want caching.

Michael 

-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED] 
Sent: 17 February 2006 04:42
To: 'Tomcat Users List'; [EMAIL PROTECTED]
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Just out of curiousity, why do your pages have two HEAD blocks 
(one at the top, and one at the bottom of the page)?

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: Thursday, February 16, 2006 3:38 PM
 To: 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Dear all,
 
 Thanks for your replies to my problem.  However, I think the 
 discussion has been diverted into a debate totally 
irrelevant to the 
 issue.
 
 As far as Chuck's question whether this could be related to 
the popup, 
 this is not the case as the problem happens on other pages too, even 
 on index.jsp (first page)
 
 Regarding Filip's email and monitoring HTTP Headers I am impressed 
 that it seems to work for you.  I run FireFox on Windows XP Pro SP2 
 and what happens is that when a page finishes loading, the session 
 expires on the server.
 When the user/browser requests another page the correct 
session id is 
 sent from the browser but the server detects that this 
session id sent 
 is no more valid (expired) and so we have a timeout.  However, this 
 behaviour, only
 occurs with FireFox.   I tried it from another PC with XP Pro 
 SP2 too but
 the problem is the same.  With IE, NetScape and Opera all is ok. 
 
  
 
 I want to emphasize that this behaviour does not happen only when 
 switching from SSL to non-SSL or vice versa.  Even if I try 
to access 
 pages such as the About Us or the Contact Us the session expires 
 again.
 However, in that
 case the problem is not visible to the user since those 
pages do not 
 contain any session specific data so even with a new session 
it is ok.  
 Try the following though and you will see what I mean.  On 
 tophotelchoices.com do a search for a hotel.  Let the results be 
 displayed and then, go to the About Us page.  Then, click your 
 browser's back button and instead of going back to the 
search results 
 you get a timeout (if you get search results it will be from 
browser's 
 cache, do a reload and you will get timeout).
 
 Monitoring the HTTP headers for both IE and Firefox using 
HttpAnalyzer 
 for IE and LiveHttpHeaders for Firefox gives the following:
 1) IE
 
 (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1
 Accept:*/*
 Accept-Language:en-gb
 Accept-Encoding:gzip, deflate
 User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
 .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com 
 Proxy-Connection:Keep-Alive Pragma:no-cache 
 Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D
 
 (Status-Line):HTTP/1.0 200 OK
 Date:Thu, 16 Feb 2006 22:09:18 GMT
 Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache 
 Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type:text/html;charset=UTF-8
 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from 
 proxy01.spidernet.net:83 Proxy-Connection:close
 
 2) FIREFOX:
 GET http://www.tophotelchoices.com/index.jsp HTTP/1.1
 Host: www.tophotelchoices.com
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; 
rv:1.7.12)
 Gecko/20050919 Firefox/1.0.7
 Accept:
 text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
,text/plain;q=
 0.8,image/png,*/*;q=0.5
 Accept-Language: en-gb,en;q=0.5
 Accept-Encoding: gzip,deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 300
 Proxy-Connection: keep-alive
 Referer: http://www.tophotelchoices.com/timeout.jsp
 Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358
 Cache-Control: max-age=0
 
 HTTP/1.x 200 OK
 Date: Thu, 16 Feb 2006 22:12:27 GMT
 Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type: text/html;charset=UTF-8
 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83
 Proxy-Connection: close
 
 Obviously, the response is the same in both cases, however, for 
 FireFox the important difference I see in Request is the one saying 
 Cache-control:
 max-age=0 and also, the Keep-Alive value 300. I do not think the 
 Keep-Alive value is the problem, however, the Cache-Control: 
max-age=0 
 is suspicious.
 In my code I have
 response.setHeader(Cache-Control,no-cache) but I

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

Thanks for the suggestion Wade but I really did what you are saying and
headers reach the server correctly.

Michael 

-Original Message-
From: Wade Chandler [mailto:[EMAIL PROTECTED] 
Sent: 17 February 2006 05:16
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

  Monitoring the HTTP headers for both IE and
 Firefox using
  HttpAnalyzer for
  IE and LiveHttpHeaders for Firefox gives the
 following:
  1) IE
  
  (Request-Line):GET http://www.tophotelchoices.com/
 HTTP/1.1
  Accept:*/*
  Accept-Language:en-gb
  Accept-Encoding:gzip, deflate
  User-Agent:Mozilla/4.0 (compatible; MSIE 6.0;
 Windows NT 5.1;
  SV1; .NET CLR
  1.1.4322; InfoPath.1)
  Host:www.tophotelchoices.com
  Proxy-Connection:Keep-Alive
  Pragma:no-cache
  Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D
  
  (Status-Line):HTTP/1.0 200 OK
  Date:Thu, 16 Feb 2006 22:09:18 GMT
  Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache 
  Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT
  Content-Type:text/html;charset=UTF-8
  X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from 
  proxy01.spidernet.net:83 Proxy-Connection:close
  
  2) FIREFOX:
  GET http://www.tophotelchoices.com/index.jsp
 HTTP/1.1
  Host: www.tophotelchoices.com
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT
 5.1; en-GB; rv:1.7.12)
  Gecko/20050919 Firefox/1.0.7
  Accept:
 

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
 ,text/plain;q=
  0.8,image/png,*/*;q=0.5
  Accept-Language: en-gb,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Proxy-Connection: keep-alive
  Referer:
 http://www.tophotelchoices.com/timeout.jsp
  Cookie:
 JSESSIONID=3849A82D2F9B6991FE41073D771D1358
  Cache-Control: max-age=0
  
  HTTP/1.x 200 OK
  Date: Thu, 16 Feb 2006 22:12:27 GMT
  Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: Wed, 31 Dec 1969 23:59:59 GMT
  Content-Type: text/html;charset=UTF-8
  X-Cache: MISS from proxy01.spidernet.net
  X-Cache-Lookup: MISS from proxy01.spidernet.net:83
  Proxy-Connection: close
  
  Obviously, the response is the same in both cases,
 however,
  for FireFox the
  important difference I see in Request is the one
 saying Cache-control:
  max-age=0 and also, the Keep-Alive value 300. I do
 not think
  the Keep-Alive
  value is the problem, however, the Cache-Control:
 max-age=0
  is suspicious.
  In my code I have
  response.setHeader(Cache-Control,no-cache) but
 I think
  this is different.  Does anyone have a clue what
 the
  max-age:0 is doing?
  
  Your help will be greatly appreciated.
  
  
  Thanks and regards,
  Michael
  
  -Original Message-
  From: Filip Hanik - Dev Lists
 [mailto:[EMAIL PROTECTED]
  Sent: 15 February 2006 22:16
  To: Tomcat Users List
  Subject: Re: Session Expires At Every Request
 (Tomcat5.0.28/Firefox)
  
  George Sexton wrote:
   Does the code transparently create a new
 JSessionID value then?
  
  George,
  you might wanna rethink your comments, they don't
 shine any
  light on the issue and they for sure don't state
 any facts,
  let me prove you I am right. Below is the headers
 I tracked
  with LiveHttpHeaders, as you can see, JSESSIONID
 remains
  exactly the same in the browser request when the
 switch from
  HTTP to HTTPS happens.
  This is Firefox on Fedora 4. The site works fine.
  
  This must be a browser issue, can you tell us a
 little bit
  more about what version and platform your browser
 is on.
  
  1. Request to the home - non secure
 


  http://www.tophotelchoices.com/
  GET / HTTP/1.1
  Host: www.tophotelchoices.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686;
 en-US; rv:1.8.0.1)
  Gecko/20060124 Firefox/1.5.0.1
  Accept: 
 

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
  text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://www.tophotelchoices.com/
  
  HTTP/1.x 200 OK
  Date: Wed, 15 Feb 2006 20:08:55 GMT
  Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
  Set-Cookie:
 JSESSIONID=735009FD40D725EDAA14389409CD60FF; Path=/
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: Wed, 31 Dec 1969 23:59:59 GMT
  Keep-Alive: timeout=5, max=20
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html;charset=UTF-8
  
  2. Click on the request button - switch from HTTP
 to HTTPS
 

https://www.tophotelchoices.com/bookingServlet1?hotel=ASI
  GET /bookingServlet1?hotel=ASI HTTP/1.1
  Host: www.tophotelchoices.com:443
  User-Agent: Mozilla/5.0 (X11; U; Linux i686;
 en-US; rv:1.8.0.1)
  Gecko/20060124 Firefox/1.5.0.1
  Accept: 
 

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
  text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

More or less this what I think as well! That Cache-control: max-age=0 is
applied to cookies too.  However the cookies in Firefox seem to have the
correct expiration date.

Michael

-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: 17 February 2006 06:03
To: users@tomcat.apache.org
Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Michael Andreas Omerou [EMAIL PROTECTED] wrote in 
message news:[EMAIL PROTECTED]
 Dear all,

 Thanks for your replies to my problem.  However, I think the 
 discussion has been diverted into a debate totally 
irrelevant to the 
 issue.


Not that I'm all that interested, but just to push this along, 
what are the Cookie properties in FireFox after you request a page?

Personally, I'm betting that FireFox is probably applying your 
cache-control/max-age headers to the Cookies as well as to the 
page itself.

 As far as Chuck's question whether this could be related to 
the popup, 
 this is not the case as the problem happens on other pages too, even 
 on index.jsp (first page)

 Regarding Filip's email and monitoring HTTP Headers I am impressed 
 that it seems to work for you.  I run FireFox on Windows XP Pro SP2 
 and what happens is that when a page finishes loading, the session 
 expires on the server.
 When the user/browser requests another page the correct 
session id is 
 sent from the browser but the server detects that this 
session id sent 
 is no more valid (expired) and so we have a timeout.  However, this 
 behaviour, only
 occurs with FireFox.   I tried it from another PC with XP 
Pro SP2 too but
 the problem is the same.  With IE, NetScape and Opera all is ok.



 I want to emphasize that this behaviour does not happen only when 
 switching from SSL to non-SSL or vice versa.  Even if I try 
to access 
 pages such as the About Us or the Contact Us the session expires 
 again.  However, in that case the problem is not visible 
to the user 
 since those pages do not contain any session specific data so even 
 with a new session it is ok.
 Try
 the following though and you will see what I mean.  On 
 tophotelchoices.com do a search for a hotel.  Let the results be 
 displayed and then, go to the About Us page.  Then, click your 
 browser's back button and instead of going back to the 
search results 
 you get a timeout (if you get search results it will be from 
browser's 
 cache, do a reload and you will get timeout).

 Monitoring the HTTP headers for both IE and Firefox using 
HttpAnalyzer 
 for IE and LiveHttpHeaders for Firefox gives the following:
 1) IE

 (Request-Line):GET http://www.tophotelchoices.com/ HTTP/1.1
 Accept:*/*
 Accept-Language:en-gb
 Accept-Encoding:gzip, deflate
 User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
 .NET CLR 1.1.4322; InfoPath.1) Host:www.tophotelchoices.com 
 Proxy-Connection:Keep-Alive Pragma:no-cache 
 Cookie:JSESSIONID=6F187E9E698F5D81A09DF6AD0D25115D

 (Status-Line):HTTP/1.0 200 OK
 Date:Thu, 16 Feb 2006 22:09:18 GMT
 Server:Apache/1.3.33 (Unix) mod_jk/1.2.15 Cache-Control:no-cache 
 Pragma:no-cache Expires:Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type:text/html;charset=UTF-8
 X-Cache:MISS from proxy01.spidernet.net X-Cache-Lookup:MISS from 
 proxy01.spidernet.net:83 Proxy-Connection:close

 2) FIREFOX:
 GET http://www.tophotelchoices.com/index.jsp HTTP/1.1
 Host: www.tophotelchoices.com
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; 
rv:1.7.12)
 Gecko/20050919 Firefox/1.0.7
 Accept:
 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/pl
 ain;q=
 0.8,image/png,*/*;q=0.5
 Accept-Language: en-gb,en;q=0.5
 Accept-Encoding: gzip,deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 300
 Proxy-Connection: keep-alive
 Referer: http://www.tophotelchoices.com/timeout.jsp
 Cookie: JSESSIONID=3849A82D2F9B6991FE41073D771D1358
 Cache-Control: max-age=0

 HTTP/1.x 200 OK
 Date: Thu, 16 Feb 2006 22:12:27 GMT
 Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: Wed, 31 Dec 1969 23:59:59 GMT
 Content-Type: text/html;charset=UTF-8
 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83
 Proxy-Connection: close

 Obviously, the response is the same in both cases, however, for 
 FireFox the important difference I see in Request is the one saying 
 Cache-control:
 max-age=0 and also, the Keep-Alive value 300. I do not think the 
 Keep-Alive value is the problem, however, the Cache-Control: 
max-age=0 
 is suspicious.
 In my code I have 
response.setHeader(Cache-Control,no-cache) but I 
 think this is different.  Does anyone have a clue what the max-age:0 
 is doing?

 Your help will be greatly appreciated.


 Thanks and regards,
 Michael

-Original Message-
From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 22:16
To: Tomcat Users List
Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[BuyRentVillas.com Administrator]

Thanks for the suggestion George.

I don't think is the proxy because IE and other browsers work with the same
proxy so I don't see why FireFox should not.  I will try your suggestion
though and let you know the outcome.

As far as other suggestions, no. 1 is particularly interesting and will try
it, as well as no.2.  For your third suggestion I explained to you why I am
doing it.

As far as the X-Cache: MISS, etc. these appear with IE as well but IE works
so it can't be the problem.

Michael

-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED] 
Sent: 17 February 2006 05:22
To: 'Tomcat Users List'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED]
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Since I regularly use Firefox and sessions I'm pretty sure 
that there is really nothing unique to that combination that 
is causing the problem. It could be the proxy server below is 
causing the issue. The obvious thing to do would be to try 
from a different network without a proxy server and see if 
your issue clears up.

I would also recommend that you do a little cleanup on your 
HTML pages and see if there is some effect on the issue. The 
specific things I would fix in your HTML are:

1) No DocType, causing the page to render in Quirks mode. FYI, this
will cause differences in the box model which will result in 
IE 6.0 and FireFox/Mozilla displaying pages very differently.

2) No Content type/charset meta in the header.

3) You have a duplicate HEAD block in the bottom of your page.

Your reference to the cache-control entry:


 Cache-Control: max-age=0

Doesn't appear in my browser. I would suspect that its being 
added by your proxy server.

 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83

I would also say that if you're going to use the addHeader() 
to put in cache/pragma entries that you should not use the META tags.





George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: Thursday, February 16, 2006 3:38 PM
 To: 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Dear all,
 
 Thanks for your replies to my problem.  However, I think the 
 discussion has been diverted into a debate totally 
irrelevant to the 
 issue.
 
 As far as Chuck's question whether this could be related to 
the popup, 
 this is not the case as the problem happens on other pages too, even 
 on index.jsp (first page)



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

Thanks for the suggestion George.

I don't think is the proxy because IE and other browsers work with the same
proxy so I don't see why FireFox should not.  I will try your suggestion
though and let you know the outcome.

As far as other suggestions, no. 1 is particularly interesting and will try
it, as well as no.2.  For your third suggestion I explained to you why I am
doing it.

As far as the X-Cache: MISS, etc. these appear with IE as well but IE works
so it can't be the problem.

Michael

-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED] 
Sent: 17 February 2006 05:22
To: 'Tomcat Users List'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; 'Joey Geiger'; [EMAIL PROTECTED]
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Since I regularly use Firefox and sessions I'm pretty sure 
that there is really nothing unique to that combination that 
is causing the problem. It could be the proxy server below is 
causing the issue. The obvious thing to do would be to try 
from a different network without a proxy server and see if 
your issue clears up.

I would also recommend that you do a little cleanup on your 
HTML pages and see if there is some effect on the issue. The 
specific things I would fix in your HTML are:

1) No DocType, causing the page to render in Quirks mode. FYI, this
will cause differences in the box model which will result in 
IE 6.0 and FireFox/Mozilla displaying pages very differently.

2) No Content type/charset meta in the header.

3) You have a duplicate HEAD block in the bottom of your page.

Your reference to the cache-control entry:


 Cache-Control: max-age=0

Doesn't appear in my browser. I would suspect that its being 
added by your proxy server.

 X-Cache: MISS from proxy01.spidernet.net
 X-Cache-Lookup: MISS from proxy01.spidernet.net:83

I would also say that if you're going to use the addHeader() 
to put in cache/pragma entries that you should not use the META tags.





George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: Thursday, February 16, 2006 3:38 PM
 To: 'Tomcat Users List'
 Cc: [EMAIL PROTECTED]; 'George Sexton'; 'Joey Geiger'; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Dear all,
 
 Thanks for your replies to my problem.  However, I think the 
 discussion has been diverted into a debate totally 
irrelevant to the 
 issue.
 
 As far as Chuck's question whether this could be related to 
the popup, 
 this is not the case as the problem happens on other pages too, even 
 on index.jsp (first page)



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

 Anybody has an idea what could be causing what I describe in the below two
emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the 
HTTP headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
SV1; .NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of 
FireFox but not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I 
check in all 
JSPs and servlets that an old session is still there by using
  if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that 
the session 
is re-initialised whenever the client/browser requests a new page.  I 
checked this by printing the session id in the log on each page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Earnie Dyke]

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in the below two
emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the 
HTTP headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
SV1; .NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of 
FireFox but not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I 
check in all 
JSPs and servlets that an old session is still there by using
  if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that 
the session 
is re-initialised whenever the client/browser requests a new page.  I 
checked this by printing the session id in the log on each page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

Hi Earnie,

Cookies are allowed at the browser.  It seems for some reason that at then
end of loading each JSP firefox expires my session.  I use some meta tags
(META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values using
response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in 
the below two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of 
FireFox but 
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
 if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that
the session
is re-initialised whenever the client/browser requests a new 
page.  I 
checked this by printing the session id in the log on each page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Earnie Dyke]

The META tags should not have an effect on cookies. Firefox would not be the 
one that expires your session, Tomcat would. Do you have a session timeout 
specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some reason that at then
end of loading each JSP firefox expires my session.  I use some meta tags
(META HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values using
response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in 
the below two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of 
FireFox but 
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
 if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that
the session
is re-initialised whenever the client/browser requests a new 
page.  I 
checked this by printing the session id in the log on each page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

It is 30 minutes.  If I do request.getSession().getMaxInactiveInterval() I
get 1800 (seconds I guess) which is the correct value for 30 minutes. 

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

The META tags should not have an effect on cookies. Firefox 
would not be the one that expires your session, Tomcat would. 
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some reason 
that at then end of loading each JSP firefox expires my 
session.  I use some meta tags (META 
HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META 
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values 
using response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in 
the below 
two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; 
rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of
FireFox but
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that
the session
is re-initialised whenever the client/browser requests a new
page.  I
checked this by printing the session id in the log on each page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[alexandre.tastet]

Are you using SSL connection ?

-Message d'origine-
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
ache.org]De la part de Michael Andreas Omerou
Envoye : mercredi 15 fevrier 2006 16:34
A : 'Tomcat Users List'
Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


It is 30 minutes.  If I do request.getSession().getMaxInactiveInterval() I
get 1800 (seconds I guess) which is the correct value for 30 minutes. 

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

The META tags should not have an effect on cookies. Firefox 
would not be the one that expires your session, Tomcat would. 
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some reason 
that at then end of loading each JSP firefox expires my 
session.  I use some meta tags (META 
HTTP-EQUIV=Cache-Control CONTENT=No-Cache, META 
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values 
using response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in 
the below 
two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; 
rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of
FireFox but
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that
the session
is re-initialised whenever the client/browser requests a new
page.  I
checked this by printing the session id in the log on each page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

In principle,  one could try the below (a stand-alone jsp) which resides in
my application with a timeout of 30 minutes:

[EMAIL PROTECTED] import=java.util.Enumeration,java.util.Date
contentType=text/html%
[EMAIL PROTECTED] pageEncoding=UTF-8%
html
headtitleJSP Page/title/head
body
%

  Enumeration reqHeaderNames = request.getHeaderNames();
  String curHeaderName;
while (reqHeaderNames.hasMoreElements()){
curHeaderName=(String) reqHeaderNames.nextElement();
System.out.println(curHeaderName + :  +
request.getHeader(curHeaderName));
}
  
  System.out.println(TestFirefox.jsp Session ID Value: +
request.getSession(false).getId());
  
%
TEST FIREFOX LOADED

/body
/html


The above creates a new session wheneven reloaded in Firefox while in IE it
keeps the same.

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:34
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

It is 30 minutes.  If I do 
request.getSession().getMaxInactiveInterval() I get 1800 
(seconds I guess) which is the correct value for 30 minutes. 

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

The META tags should not have an effect on cookies. Firefox would not 
be the one that expires your session, Tomcat would.
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some reason that at 
then end of loading each JSP firefox expires my session.  I use some 
meta tags (META HTTP-EQUIV=Cache-Control 
CONTENT=No-Cache, META 
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values using 
response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in
the below
two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of
FireFox but
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
   if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that
the session
is re-initialised whenever the client/browser requests a new
page.  I
checked this by printing the session id in the log on each 
page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

Not at the stage that this problem occurs.  SSL is used further on when the
user logs in to make a payment but the SSL pages are never reached with
FireFox because of the early timeout.  With IE all is ok, including SSL
connections. 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:43
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you using SSL connection ?

-Message d'origine-
De :
[EMAIL PROTECTED]
pache.org
[mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@
tomcat.ap
ache.org]De la part de Michael Andreas Omerou Envoye : 
mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List'
Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


It is 30 minutes.  If I do 
request.getSession().getMaxInactiveInterval() I get 1800 
(seconds I guess) which is the correct value for 30 minutes. 

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

The META tags should not have an effect on cookies. Firefox would not 
be the one that expires your session, Tomcat would.
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some reason that at 
then end of loading each JSP firefox expires my session.  I use some 
meta tags (META HTTP-EQUIV=Cache-Control 
CONTENT=No-Cache, META 
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values using 
response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in
the below
two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of
FireFox but
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
   if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox, it seems that
the session
is re-initialised whenever the client/browser requests a new
page.  I
checked this by printing the session id in the log on each 
page and 
with IE it does not change, while with Firefox it changes.

I checked my firefox settings for cookies and all look ok.

Anybody has a clue of what I might be doing wrong?

Regards,
Michael



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

I tried with NetScape and Opera to see what happens.  

For NetScape the first time I tried it was ok up to the stage that I
switched to SSL.  At that step, I lost my session.  After trying several
times again I noticed NetScape was ok.

With Opera all works fine, like with IE, from the beginning.

So major problem is still FireFox and it must be something that it sends (or
not sends) back to Tomcat that causes session expiration.

Thanks for your assistance.

Michael

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 17:48
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Not at the stage that this problem occurs.  SSL is used 
further on when the user logs in to make a payment but the SSL 
pages are never reached with FireFox because of the early 
timeout.  With IE all is ok, including SSL connections. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:43
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you using SSL connection ?

-Message d'origine-
De :
[EMAIL PROTECTED]
pache.org
[mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@
tomcat.ap
ache.org]De la part de Michael Andreas Omerou Envoye : 
mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List'
Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


It is 30 minutes.  If I do
request.getSession().getMaxInactiveInterval() I get 1800 (seconds I 
guess) which is the correct value for 30 minutes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

The META tags should not have an effect on cookies. Firefox 
would not 
be the one that expires your session, Tomcat would.
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some 
reason that at 
then end of loading each JSP firefox expires my session.  I use some 
meta tags (META HTTP-EQUIV=Cache-Control
CONTENT=No-Cache, META
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values using 
response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in
the below
two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check 
the HTTP 
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
5.1; SV1; 
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of
FireFox but
not in the case of IE could be the cause of my problems.

Michael



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 11:27
To: users@tomcat.apache.org
Subject: Session Problems with Firefox

Hello,

I have some problems with session management when our application 
runsin Firefox.

Basically, what happens is that after I set in the session some 
attributes/beans which are needed down the application, I
check in all
JSPs and servlets that an old session is still there by using
  if (request.getSession(false)==null){
 
response.sendRedirect(response.encodeRedirectURL(timeout.jsp));

}

With IE all works fine, however with Firefox

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Michael Andreas Omerou]

As the problem occurs with a live site, you can see it yourself at
www.tophotelchoices.com.  Do a search for any hotel.   You will see the
results.  By the time the results page is loaded your session has expired
but you do not know.  Click on the Book or Request button of any hotel
and you will see the Timeout page.

Remember that the above only happens with FireFox.

I will greatly appreciate your help.

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 19:45
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

I tried with NetScape and Opera to see what happens.  

For NetScape the first time I tried it was ok up to the stage 
that I switched to SSL.  At that step, I lost my session.  
After trying several times again I noticed NetScape was ok.

With Opera all works fine, like with IE, from the beginning.

So major problem is still FireFox and it must be something 
that it sends (or not sends) back to Tomcat that causes 
session expiration.

Thanks for your assistance.

Michael

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:48
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Not at the stage that this problem occurs.  SSL is used 
further on when 
the user logs in to make a payment but the SSL pages are 
never reached 
with FireFox because of the early timeout.  With IE all is ok, 
including SSL connections.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:43
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Are you using SSL connection ?

-Message d'origine-
De :
[EMAIL PROTECTED]
pache.org
[mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@
tomcat.ap
ache.org]De la part de Michael Andreas Omerou Envoye : 
mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List'
Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


It is 30 minutes.  If I do
request.getSession().getMaxInactiveInterval() I get 1800 (seconds I
guess) which is the correct value for 30 minutes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

The META tags should not have an effect on cookies. Firefox
would not
be the one that expires your session, Tomcat would.
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some
reason that at
then end of loading each JSP firefox expires my session.  I 
use some 
meta tags (META HTTP-EQUIV=Cache-Control
CONTENT=No-Cache, META
HTTP-EQUIV=Pragma CONTENT=No-Cache, META HTTP-EQUIV=Expires
CONTENT=-1) and also set the corresponding header values using 
response.setHeader but even if I remove them nothing changes.

Michael

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:10
To: Tomcat Users List
Subject: RE: Session Expires At Every Request 
(Tomcat5.0.28/Firefox)

Are you blocking cookies at the browser?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:06 AM
To: 'Tomcat Users List'
Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)


 Anybody has an idea what could be causing what I describe in
the below
two emails?

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 13:10
To: 'Tomcat Users List'
Subject: RE: Session Problems with Firefox

Further to my below email I have put in some code to check
the HTTP
headers in each case (IE and FireFox).

These are:

IE
accept: */*
accept-language: en-gb
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1;
.NET CLR 1.1.4322; InfoPath.1)
host: localhost
connection: Keep-Alive
cookie: JSESSIONID=D79835F3D70ADD58F4770DD15B463320

FireFox
host: localhost
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=
0.8,image/png,*/*;q=0.5
accept-language: en-gb,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
cookie: JSESSIONID=A3893195B065989E5B03BC8681E4D0D6
cache-control: max-age=0


I wonder whether the keep-alive which exists in the case of
FireFox but
not in the case of IE could be the cause of my problems

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

You do realize that sessions don't carry over between SSL and non-SSL
request don't you?

You can't have a session ID that carries over from a non-ssl session to an
SSL session because that session ID is compromised (it has been exposed) as
plain text.

As an aside, I looked at your form. You should really use
HttpServletRequest.getLocale() to pick up your user's locale and then
provide date formatting for the user locale.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 11:03 AM
 To: 'Tomcat Users List'; [EMAIL PROTECTED]; 
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 As the problem occurs with a live site, you can see it yourself at
 www.tophotelchoices.com.  Do a search for any hotel.   You 
 will see the
 results.  By the time the results page is loaded your session 
 has expired
 but you do not know.  Click on the Book or Request button 
 of any hotel
 and you will see the Timeout page.
 
 Remember that the above only happens with FireFox.
 
 I will greatly appreciate your help.
 
 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 Sent: 15 February 2006 19:45
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Cc: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 I tried with NetScape and Opera to see what happens.  
 
 For NetScape the first time I tried it was ok up to the stage 
 that I switched to SSL.  At that step, I lost my session.  
 After trying several times again I noticed NetScape was ok.
 
 With Opera all works fine, like with IE, from the beginning.
 
 So major problem is still FireFox and it must be something 
 that it sends (or not sends) back to Tomcat that causes 
 session expiration.
 
 Thanks for your assistance.
 
 Michael
 
 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: 15 February 2006 17:48
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Not at the stage that this problem occurs.  SSL is used 
 further on when 
 the user logs in to make a payment but the SSL pages are 
 never reached 
 with FireFox because of the early timeout.  With IE all is ok, 
 including SSL connections.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 Sent: 15 February 2006 17:43
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request 
 (Tomcat5.0.28/Firefox)
 
 Are you using SSL connection ?
 
 -Message d'origine-
 De :
 [EMAIL PROTECTED]
 pache.org
 [mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@
 tomcat.ap
 ache.org]De la part de Michael Andreas Omerou Envoye : 
 mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List'
 Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 
 It is 30 minutes.  If I do
 request.getSession().getMaxInactiveInterval() I get 1800 (seconds I
 guess) which is the correct value for 30 minutes.
 
 Michael
 
 -Original Message-
 From: Earnie Dyke [mailto:[EMAIL PROTECTED]
 Sent: 15 February 2006 17:25
 To: Tomcat Users List
 Subject: RE: Session Expires At Every Request 
 (Tomcat5.0.28/Firefox)
 
 The META tags should not have an effect on cookies. Firefox
 would not
 be the one that expires your session, Tomcat would.
 Do you have a session timeout specified in your application?
 
 Earnie!
 
 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 15, 2006 10:19 AM
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request 
 (Tomcat5.0.28/Firefox)
 
 
 Hi Earnie,
 
 Cookies are allowed at the browser.  It seems for some
 reason that at
 then end of loading each JSP firefox expires my session.  I 
 use some 
 meta tags (META HTTP-EQUIV=Cache-Control
 CONTENT=No-Cache, META
 HTTP-EQUIV=Pragma CONTENT=No-Cache, META 
 HTTP-EQUIV=Expires
 CONTENT=-1) and also set the corresponding header values using 
 response.setHeader but even if I remove them nothing changes.
 
 Michael
 
 -Original Message-
 From: Earnie Dyke [mailto:[EMAIL PROTECTED]
 Sent: 15 February 2006 17:10
 To: Tomcat Users List
 Subject: RE: Session Expires At Every Request 
 (Tomcat5.0.28/Firefox)
 
 Are you blocking cookies at the browser?
 
 Earnie!
 
 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 15, 2006 10:06 AM
 To: 'Tomcat Users List'
 Subject: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 
  Anybody has an idea what could be causing what I describe in
 the below
 two emails?
 
 -Original Message-
 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
 Sent: 15 February 2006 13:10
 To: 'Tomcat Users List'
 Subject: RE: Session Problems with Firefox
 
 Further to my below email I have put in some

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Caldarale, Charles R]

 From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 As the problem occurs with a live site, you can see 
 it yourself at www.tophotelchoices.com.

(OT: A bit depressing to see a Holiday Inn at Aylesbury - I used to live
just down the road from there in the 1950s.)

I noticed that a secondary window opened during the search; is it
possible that with Firefox the session is being associated only with
this secondary window?  Can you use Ethereal or something similar to see
which requests/responses contain the desired session id?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

In my shopping cart application, I create a cart with a unique (random) id
and track the request type (secure/non-secure). 

If they invoke the program from an SSL request, and the previous request was
non-SSL then I create a new cart with a new unique ID, copy the information
from the insecure cart, and then delete the old cart.

If someone tries to come back with the old cart id, then that cart just
doesn't exist and they get a new cart.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Joey Geiger [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 11:50 AM
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 You do realize that sessions don't carry over between SSL 
 and non-SSL
 request don't you?
 
 What is the proper/best way to go about this then, since I 
 will be facing a
 similar situation in the near future? (Shopping cart bean, 
 customer bean
 saved in the session.)
 
 Thanks.
 
 
 -Original Message-
 From: George Sexton [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 12:17 PM
 To: 'Tomcat Users List'; [EMAIL PROTECTED]; 
 [EMAIL PROTECTED];
 [EMAIL PROTECTED]
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 You do realize that sessions don't carry over between SSL and non-SSL
 request don't you?
 
 You can't have a session ID that carries over from a non-ssl 
 session to an
 SSL session because that session ID is compromised (it has 
 been exposed) as
 plain text.
 
 As an aside, I looked at your form. You should really use
 HttpServletRequest.getLocale() to pick up your user's locale and then
 provide date formatting for the user locale.
 
 George Sexton
 MH Software, Inc.
 http://www.mhsoftware.com/
 Voice: 303 438 9585
   


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Filip Hanik - Dev Lists]

sessions started in non-ssl mode should carry over to SSL, but not the 
other way around.

Filip


Joey Geiger wrote:

You do realize that sessions don't carry over between SSL and non-SSL
request don't you?
  


What is the proper/best way to go about this then, since I will be facing a
similar situation in the near future? (Shopping cart bean, customer bean
saved in the session.)

Thanks.


-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 15, 2006 12:17 PM

To: 'Tomcat Users List'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

You do realize that sessions don't carry over between SSL and non-SSL
request don't you?

You can't have a session ID that carries over from a non-ssl session to an
SSL session because that session ID is compromised (it has been exposed) as
plain text.

As an aside, I looked at your form. You should really use
HttpServletRequest.getLocale() to pick up your user's locale and then
provide date formatting for the user locale.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

  

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 15, 2006 11:03 AM
To: 'Tomcat Users List'; [EMAIL PROTECTED]; 
[EMAIL PROTECTED]

Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

As the problem occurs with a live site, you can see it yourself at
www.tophotelchoices.com.  Do a search for any hotel.   You 
will see the
results.  By the time the results page is loaded your session 
has expired
but you do not know.  Click on the Book or Request button 
of any hotel

and you will see the Timeout page.

Remember that the above only happens with FireFox.

I will greatly appreciate your help.



-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED] 
Sent: 15 February 2006 19:45

To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

I tried with NetScape and Opera to see what happens.  

For NetScape the first time I tried it was ok up to the stage 
that I switched to SSL.  At that step, I lost my session.  
After trying several times again I noticed NetScape was ok.


With Opera all works fine, like with IE, from the beginning.

So major problem is still FireFox and it must be something 
that it sends (or not sends) back to Tomcat that causes 
session expiration.


Thanks for your assistance.

Michael

  

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:48
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

Not at the stage that this problem occurs.  SSL is used 

further on when 
  
the user logs in to make a payment but the SSL pages are 

never reached 
  
with FireFox because of the early timeout.  With IE all is ok, 
including SSL connections.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:43
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request 
  

(Tomcat5.0.28/Firefox)


Are you using SSL connection ?

-Message d'origine-
De :
[EMAIL PROTECTED]
  

pache.org


[mailto:users-return-140612-alexandre.tastet=fr.fortisbank.com@
  

tomcat.ap

ache.org]De la part de Michael Andreas Omerou Envoye : 
mercredi 15 fevrier 2006 16:34 A : 'Tomcat Users List'

Objet : RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)


It is 30 minutes.  If I do
request.getSession().getMaxInactiveInterval() I get 1800 (seconds I
guess) which is the correct value for 30 minutes.

Michael

  

-Original Message-
From: Earnie Dyke [mailto:[EMAIL PROTECTED]
Sent: 15 February 2006 17:25
To: Tomcat Users List
Subject: RE: Session Expires At Every Request 


(Tomcat5.0.28/Firefox)


The META tags should not have an effect on cookies. Firefox


would not


be the one that expires your session, Tomcat would.
Do you have a session timeout specified in your application?

Earnie!

-Original Message-
From: Michael Andreas Omerou [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 10:19 AM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request 


(Tomcat5.0.28/Firefox)


Hi Earnie,

Cookies are allowed at the browser.  It seems for some


reason that at

then end of loading each JSP firefox expires my session.  I 

use some 
  

meta tags (META HTTP-EQUIV=Cache-Control


CONTENT=No-Cache, META
  
HTTP-EQUIV=Pragma CONTENT=No-Cache, META 


HTTP-EQUIV=Expires

CONTENT=-1) and also set the corresponding header values using 
response.setHeader but even if I

Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Filip Hanik - Dev Lists]

George Sexton wrote:

Does the code transparently create a new JSessionID value then?


George,
you might wanna rethink your comments, they don't shine any light on the 
issue and they for sure don't state any facts, let me prove you I am 
right. Below is the headers I tracked with LiveHttpHeaders, as you can 
see, JSESSIONID remains exactly the same in the browser request when the 
switch from HTTP to HTTPS happens.

This is Firefox on Fedora 4. The site works fine.

This must be a browser issue, can you tell us a little bit more about 
what version and platform your browser is on.


1. Request to the home - non secure

http://www.tophotelchoices.com/
GET / HTTP/1.1
Host: www.tophotelchoices.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) 
Gecko/20060124 Firefox/1.5.0.1
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.tophotelchoices.com/

HTTP/1.x 200 OK
Date: Wed, 15 Feb 2006 20:08:55 GMT
Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
Set-Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF; Path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

2. Click on the request button - switch from HTTP to HTTPS
https://www.tophotelchoices.com/bookingServlet1?hotel=ASI
GET /bookingServlet1?hotel=ASI HTTP/1.1
Host: www.tophotelchoices.com:443
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) 
Gecko/20060124 Firefox/1.5.0.1
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.tophotelchoices.com/searchResults.jsp
Cookie: JSESSIONID=735009FD40D725EDAA14389409CD60FF

HTTP/1.x 200 OK
Date: Wed, 15 Feb 2006 20:11:54 GMT
Server: Apache/1.3.33 (Unix) mod_jk/1.2.15
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8


George Sexton wrote:

Does the code transparently create a new JSessionID value then?

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585



-Original Message-
From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 15, 2006 12:48 PM
To: Tomcat Users List
Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

sessions started in non-ssl mode should carry over to SSL,
but not the
other way around.
Filip




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

 -Original Message-
 From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 1:16 PM
 To: Tomcat Users List
 Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 George Sexton wrote:
  Does the code transparently create a new JSessionID value then?
 
 George,
 you might wanna rethink your comments, they don't shine any 
 light on the 
 issue and they for sure don't state any facts, let me prove you I am 
 right. Below is the headers I tracked with LiveHttpHeaders, 
 as you can 
 see, JSESSIONID remains exactly the same in the browser 
 request when the 
 switch from HTTP to HTTPS happens.

And this is an incredibly major trap that lies waiting for every application
developer that uses sessions. You see, I have given a great deal of thought
about sessions and what should happen when a connection transitions to
secure, or from secure to non-secure.

Let's take a simple shopping cart app. User Adam visit a site on a
non-secure connection and receives a session. He shops and puts something in
his cart.

Mallory (crypto speak for the person in the middle) monitors Adam's network
stream and picks up the jsessionid from the data stream.

Adam then goes to the check out screen and starts entering checkout data
(name, address, and credit card information). To give ourselves a window,
assume that Adam then continues shopping or is just slow, or the credit card
processing procedure takes time...

Mallory can forge a request using the JSessionID, and go to the checkout
pages. Since Mallory has the same session, all of the information entered by
Adam is now visible.

This is the flaw. This is why sessions should not transition from non-secure
to secure, or if they do transition a new ID should be generated and the old
session ID invalidated. The session ID is a key into the data store and if
the session key has been exposed to the public, then no confidential data
should be accessed using that session key.

I think this should be submitted as a bug. 


George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

An even simpler case:

Adam visits a banking site. On entering the site he gets a cookie. 


Mallory snoops the session ID on the data stream.

Adam then authenticates to read his account information. The application
sets a session attribute (say a bean with the account name and number) on
the session.


Mallory now enters the secure area of the banking site using the forged
session ID. 

Poof. Mallory is logged in as Adam.

Poof. Adam is had and his data is there to be stolen, or wire transferred to
another account.



George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: George Sexton [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 2:09 PM
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 
 
  -Original Message-
  From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
  Sent: Wednesday, February 15, 2006 1:16 PM
  To: Tomcat Users List
  Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
  
  George Sexton wrote:
   Does the code transparently create a new JSessionID value then?
  
  George,
  you might wanna rethink your comments, they don't shine any 
  light on the 
  issue and they for sure don't state any facts, let me prove 
 you I am 
  right. Below is the headers I tracked with LiveHttpHeaders, 
  as you can 
  see, JSESSIONID remains exactly the same in the browser 
  request when the 
  switch from HTTP to HTTPS happens.
 
 And this is an incredibly major trap that lies waiting for 
 every application
 developer that uses sessions. You see, I have given a great 
 deal of thought
 about sessions and what should happen when a connection transitions to
 secure, or from secure to non-secure.
 
 Let's take a simple shopping cart app. User Adam visit a site on a
 non-secure connection and receives a session. He shops and 
 puts something in
 his cart.
 
 Mallory (crypto speak for the person in the middle) monitors 
 Adam's network
 stream and picks up the jsessionid from the data stream.
 
 Adam then goes to the check out screen and starts entering 
 checkout data
 (name, address, and credit card information). To give 
 ourselves a window,
 assume that Adam then continues shopping or is just slow, or 
 the credit card
 processing procedure takes time...
 
 Mallory can forge a request using the JSessionID, and go to 
 the checkout
 pages. Since Mallory has the same session, all of the 
 information entered by
 Adam is now visible.
 
 This is the flaw. This is why sessions should not transition 
 from non-secure
 to secure, or if they do transition a new ID should be 
 generated and the old
 session ID invalidated. The session ID is a key into the data 
 store and if
 the session key has been exposed to the public, then no 
 confidential data
 should be accessed using that session key.
 
 I think this should be submitted as a bug. 
 
 
 George Sexton
 MH Software, Inc.
 http://www.mhsoftware.com/
 Voice: 303 438 9585
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Filip Hanik - Dev Lists]

Adam and Mallory have to stop shopping! =)

this debate has been going on for years, you just caught onto to it now, 
and I was in it last time, don't plan on participating again. Have fun 
with it though!!


Filip


George Sexton wrote:

An even simpler case:

Adam visits a banking site. On entering the site he gets a cookie. 



Mallory snoops the session ID on the data stream.

Adam then authenticates to read his account information. The application
sets a session attribute (say a bean with the account name and number) on
the session.


Mallory now enters the secure area of the banking site using the forged
session ID. 


Poof. Mallory is logged in as Adam.

Poof. Adam is had and his data is there to be stolen, or wire transferred to
another account.



George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

  

-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 15, 2006 2:09 PM

To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)





-Original Message-
From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 15, 2006 1:16 PM

To: Tomcat Users List
Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)

George Sexton wrote:
  

Does the code transparently create a new JSessionID value then?


George,
you might wanna rethink your comments, they don't shine any 
light on the 
issue and they for sure don't state any facts, let me prove 
  
you I am 

right. Below is the headers I tracked with LiveHttpHeaders, 
as you can 
see, JSESSIONID remains exactly the same in the browser 
request when the 
switch from HTTP to HTTPS happens.
  
And this is an incredibly major trap that lies waiting for 
every application
developer that uses sessions. You see, I have given a great 
deal of thought

about sessions and what should happen when a connection transitions to
secure, or from secure to non-secure.

Let's take a simple shopping cart app. User Adam visit a site on a
non-secure connection and receives a session. He shops and 
puts something in

his cart.

Mallory (crypto speak for the person in the middle) monitors 
Adam's network

stream and picks up the jsessionid from the data stream.

Adam then goes to the check out screen and starts entering 
checkout data
(name, address, and credit card information). To give 
ourselves a window,
assume that Adam then continues shopping or is just slow, or 
the credit card

processing procedure takes time...

Mallory can forge a request using the JSessionID, and go to 
the checkout
pages. Since Mallory has the same session, all of the 
information entered by

Adam is now visible.

This is the flaw. This is why sessions should not transition 
from non-secure
to secure, or if they do transition a new ID should be 
generated and the old
session ID invalidated. The session ID is a key into the data 
store and if
the session key has been exposed to the public, then no 
confidential data

should be accessed using that session key.

I think this should be submitted as a bug. 



George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[Joey Geiger]

Oddly enough, the banks don't even care about this.

US Bank, for example, claims their login on the front page is secure and
has you enter your account data into a non https form. After the browser
sends the information, it then redirects to a secure(https) link.

I wrote them about this, and their response was, we know it's not secure,
but we'll compensate you for any losses you may have... Crazy.

-Original Message-
From: George Sexton [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 15, 2006 3:16 PM
To: 'Tomcat Users List'
Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

An even simpler case:

Adam visits a banking site. On entering the site he gets a cookie. 


Mallory snoops the session ID on the data stream.

Adam then authenticates to read his account information. The application
sets a session attribute (say a bean with the account name and number) on
the session.


Mallory now enters the secure area of the banking site using the forged
session ID. 

Poof. Mallory is logged in as Adam.

Poof. Adam is had and his data is there to be stolen, or wire transferred to
another account.



George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: George Sexton [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 2:09 PM
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 
 
  -Original Message-
  From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
  Sent: Wednesday, February 15, 2006 1:16 PM
  To: Tomcat Users List
  Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
  
  George Sexton wrote:
   Does the code transparently create a new JSessionID value then?
  
  George,
  you might wanna rethink your comments, they don't shine any 
  light on the 
  issue and they for sure don't state any facts, let me prove 
 you I am 
  right. Below is the headers I tracked with LiveHttpHeaders, 
  as you can 
  see, JSESSIONID remains exactly the same in the browser 
  request when the 
  switch from HTTP to HTTPS happens.
 
 And this is an incredibly major trap that lies waiting for 
 every application
 developer that uses sessions. You see, I have given a great 
 deal of thought
 about sessions and what should happen when a connection transitions to
 secure, or from secure to non-secure.
 
 Let's take a simple shopping cart app. User Adam visit a site on a
 non-secure connection and receives a session. He shops and 
 puts something in
 his cart.
 
 Mallory (crypto speak for the person in the middle) monitors 
 Adam's network
 stream and picks up the jsessionid from the data stream.
 
 Adam then goes to the check out screen and starts entering 
 checkout data
 (name, address, and credit card information). To give 
 ourselves a window,
 assume that Adam then continues shopping or is just slow, or 
 the credit card
 processing procedure takes time...
 
 Mallory can forge a request using the JSessionID, and go to 
 the checkout
 pages. Since Mallory has the same session, all of the 
 information entered by
 Adam is now visible.
 
 This is the flaw. This is why sessions should not transition 
 from non-secure
 to secure, or if they do transition a new ID should be 
 generated and the old
 session ID invalidated. The session ID is a key into the data 
 store and if
 the session key has been exposed to the public, then no 
 confidential data
 should be accessed using that session key.
 
 I think this should be submitted as a bug. 
 
 
 George Sexton
 MH Software, Inc.
 http://www.mhsoftware.com/
 Voice: 303 438 9585
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

  

 -Original Message-
 From: Joey Geiger [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 2:27 PM
 To: 'Tomcat Users List'
 Subject: RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Oddly enough, the banks don't even care about this.
 
 US Bank, for example, claims their login on the front page is 
 secure and
 has you enter your account data into a non https form. After 
 the browser
 sends the information, it then redirects to a secure(https) link.
 
 I wrote them about this, and their response was, we know it's 
 not secure,
 but we'll compensate you for any losses you may have... Crazy.
 

Scary. That's my bank. But then, I don't trust people enough to do online
banking.

I bet their shareholders would be really excited to know about their
technical proficiency and offer to re-imburse you for losses


George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)

[George Sexton]

I've been developing with Tomcat for years, and I never really know about
this issue. 

I'd have to say that it must not be a widely known issue.

Perhaps since the security picture has changed over the past couple of years
its time to revisit this issue.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

 -Original Message-
 From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, February 15, 2006 2:24 PM
 To: Tomcat Users List
 Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
 
 Adam and Mallory have to stop shopping! =)
 
 this debate has been going on for years, you just caught onto 
 to it now, 
 and I was in it last time, don't plan on participating again. 
 Have fun 
 with it though!!
 
 Filip
 
 
 George Sexton wrote:
  An even simpler case:
 
  Adam visits a banking site. On entering the site he gets a cookie. 
 
 
  Mallory snoops the session ID on the data stream.
 
  Adam then authenticates to read his account information. 
 The application
  sets a session attribute (say a bean with the account name 
 and number) on
  the session.
 
 
  Mallory now enters the secure area of the banking site 
 using the forged
  session ID. 
 
  Poof. Mallory is logged in as Adam.
 
  Poof. Adam is had and his data is there to be stolen, or 
 wire transferred to
  another account.
 
 
 
  George Sexton
  MH Software, Inc.
  http://www.mhsoftware.com/
  Voice: 303 438 9585

 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]