Re: Session being dropped in Virtual Host in 8.0.9
Late to this party :-) On Wed, Feb 4, 2015 at 2:03 AM, Rory Kelly wrote: > Rack is a bundle of fun, since this application is a Jruby application, > which is being converted into a Java application to run on Tomcat. That's a > whole other can of worms :) I've only run Rails apps out of Tomcat (as WAR files), not Sinatra/ Padrino, but -- 1) Have you tried (non-WAR) using trinidad (embedded Tomcat)? 2) Can you make a simple example WAR available that duplicates the issue? -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan Consulting Availability : Silicon Valley or remote - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session being dropped in Virtual Host in 8.0.9
Hi Chris, They all have a keep-alive, already. >I don't see a single session id in any of those requests, other than >the "ib" token you said is generated by "the rack" (a load-balancer?). >Are you sure you have any session at all? Yes, I have this working in a Windows environment, and it requires a session as well. Rack is a bundle of fun, since this application is a Jruby application, which is being converted into a Java application to run on Tomcat. That's a whole other can of worms :) On another note, I'm currently trying to search and see if there's anywhere that Tomcat writes to that might be causing a permissions error in the linux environment. Finding info on this is proving to be a bit...difficult, though. Kind Regards, Rory -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 03 February 2015 20:40 To: Tomcat Users List Subject: Re: Session being dropped in Virtual Host in 8.0.9 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rory, On 2/3/15 6:04 AM, Rory Kelly wrote: > Sorry for the late reply, I wound up working from home yesterday, and > access to the server was less than ideal I'm just gonna dump the > Headers from the login get, through to when it dumps me back out at > the login. > > ##Login > > #request POST /login HTTP/1.1redacted.site.io User-Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://redacted.site.io/login Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > Connection: keep-alive > > #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store, > must-revalidate, max-age=0 Connection: keep-alive Content-Length: > 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 10:52:07 GMT Location: http://redacted.site.io/login/challenge > Server: nginx/1.6.2 (Ubuntu) Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:57:07 -; HttpOnly > X-XSS-Protection: 1; mode=block x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > #request GET /login/challenge HTTP/1.1redacted.sitename.io > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > en-US,en;q=0.5 gzip, deflate http://redacted.sitename.io/login > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > keep-alive > > #response HTTP/1.1 200 OK nginx/1.6.2 (Ubuntu) Tue, 03 Feb 2015 > 10:47:37 GMT text/html;charset=utf-8 chunked keep-alive no-cache, > no-store, must-revalidate, max-age=0 1; mode=block nosniff > SAMEORIGIN > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:52:37 -; HttpOnly gzip > > > ##Challenge > > #request POST /login/challenge HTTP/1.1redacted.site.io User-Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://redacted.site.io/login/challenge Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > Connection: keep-alive > > #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store, > must-revalidate, max-age=0 Connection: keep-alive Content-Length: > 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 10:50:03 GMT Location: http://redacted.site.io/statements Server: > nginx/1.6.2 (Ubuntu) Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:55:03 -; HttpOnly > X-XSS-Protection: 1; mode=block x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > #Request for /statements #request GET /statements > HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1; > WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate > Referer: http://redacted.site.io/login/challenge Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 > > Connection: keep-alive > > #response HTTP/1.1 302 Found Cache-Control: no-cache, no-store, > must-revalidate, max-age=0 Connection: keep-alive Content-Length: > 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 > 10:50:03 GMT Location: http://redacted.site.io/login Server: > nginx/1.6.2 (Ubuntu) Set-Cookie: > i
Re: Session being dropped in Virtual Host in 8.0.9
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3; > path=/; expires=Tue, 03 Feb 2015 11:07:06 -; HttpOnly > Transfer-Encoding: chunked X-XSS-Protection: 1; mode=block > x-content-type-options: nosniff x-frame-options: SAMEORIGIN I don't see a single session id in any of those requests, other than the "ib" token you said is generated by "the rack" (a load-balancer?). Are you sure you have any session at all? - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 30 January 2015 17:18 > To: Tomcat Users List Subject: Re: Session being dropped in Virtual > Host in 8.0.9 > > Rory, > > On 1/30/15 11:01 AM, Rory Kelly wrote: >> I apologise in advance if the formatting is absolutely terrible. > > Actually, it was totally readable ;) > >>> Are you using cookies for session-tracking? > >>> Can you watch the HTTP conversation to see what's being sent >>> back and forth during that workflow? LiveHttpHeaders is great >>> for Firefox, and these days Chrome, Firefox, and IE have >>> something similar built-into them. > >>> From the looks of it, the cookie is storing the session ID. >> Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35 >> GMT Content-Type - text/html;charset=utf-8 Transfer-Encoding - >> chunked Connection - keep-alive Cache-Control - no-cache, >> no-store, must-revalidate, max-age=0 X-XSS-Protection - 1; >> mode=block x-content-type-options - nosniff x-frame-options - >> SAMEORIGIN Set-Cookie - >> ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a; >> >> path=/; expires=Fri, 30 Jan 2015 15:57:35 -; HttpOnly >> Content-Encoding - gzip Everything in the HTTP requests seem >> fine, except the response from my POST at the Challenge point, >> where, instead of a 200, I'm receiving a 302. This is what tipped >> me off that it was the session that was causing the issue. > > This is only one response from the server, and it's not clear what > the request was. Can you post: > > 1. Request to protected resource (and response) 2. Request to login > page (and response) 3. Request which is the submission of the login > form (and response) ... and it sounds like here is where the > session is lost 4. The next request, which evidently has lost the > session (and response) > >>> field... or at least whatever your clients DNS will resolve to >>> your server. That may actually be "virtual1" but I just thought >>> I'd mention it. It shouldn't have any >bearing on the >>> session-handling, unless your web application switches >>> hostnames by telling a client requesting "virtual1" that it >>> should redirect to >"testsitex.site.io" or vice-versa. > >> I went ahead and changed this as well, as it does seem like a >> good practice to use. > > -chris > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU0TIaAAoJEBzwKT+lPKRYq2UQAJ+wVdwYnoDQTYNEe71M+0/5 u9w9pnJioaUlXOitdv9OF31a7chJzAyZ90iWd1R1y3yGd9lkgsUfyNeZqxF2QoBO JMv/kXlN4anGEy88UXOPDqjlu54D3d2s+qp+Q9pH9tB6TgkMwmtU4nosiZ3m4BoJ r+t055/bQrU1Ou+cAeevfYZcjSO8MzYhbdetwd8wXj7rQFrev/mYKgjzO0MsHW7j eZ8oOcsRX/NjaUBtwrUTtr/h8qB91veO79z+ZgMtzV8gr9nB/rEM+fevFxZsu6Zs 5LOVdYq3iM7RvazSA0CPmIGDvF44c5LnCAKmxS1RXmizgV6j0xUqLZZaM9/+DOvn bUVr2+/ASClD8Hd6ep4Ra6LwJBi1rik2fNsmwgu3Cz3zpTR37NvEYuDEMkyTsAgk qiJKDwQ67iRJ5U8NvpTPrbNxwzJMsfJbpgeuZPQmg6wEpiIZyHSwOrKH3WRdC1aJ wrBouIeVCvg4uTuu5KOq3GXKZ1B3ZTt7hsZXW1wXnK1UH21i1vz5rxXujjLqFr5d xXRbzrEdFltw7NeW6yWvLTwV3ht5Wp/i/LMdLGzH48V+bs3AqoLOqGexaUmJh2TZ rBGsaN88hAkb3Imq573Zn9aFqziSykvg7QqjJsd+5cO9ztUTYCYiEWl27o+Dq9kn NF2OXRX75t35UiAUwQP+ =wvkr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session being dropped in Virtual Host in 8.0.9
Hi Konstantin, >1) Does the above Location header names the same web site? If you are >redirected to a different site, the browser will use a different set of >cookies for it (as you >Set-Cookie headers do not set domain for the >cookie, and thus it is limited to a single site). Yeah, it's all contained in a single site, on a single WAR, for now. >> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; >> path=/; expires=Tue, 03 Feb 2015 10:55:03 -; HttpOnly >2) Is "ib" you session cookie? Is it created by Tomcat (just with a >different cookie name), or by something else? "ib" is getting set by Rack. I've tried the same WAR on my Windows machine, and it works fine. The only difference between the two instances is the environment (Single Host Tomcat 8.0.9 on Windows from Apache's website vs. a Virtual Host Tomcat 8.0.9 on Ubuntu installed through apt-get. >(CVE-2013-2067) >http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33 Hmm, from this, I'm assuming my cookie should be changing for each POST request. That doesn't seem to be happening on either environment. Could this be my issue? >> Referer: http://trythatagain.redacted.io/login/challenge >5) Leaking a site name Bah. The copy-replace apparently ignores chunks of text. Wonderful. (Should I be removing the original message from my replies, to avoid cluttering?) Kind Regards, Rory -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 03 February 2015 12:52 To: Tomcat Users List Subject: Re: Session being dropped in Virtual Host in 8.0.9 2015-02-03 14:04 GMT+03:00 Rory Kelly : > Hi Chris, > > Sorry for the late reply, I wound up working from home yesterday, and > access to the server was less than ideal I'm just gonna dump the > Headers from the login get, through to when it dumps me back out at > the login. > > #response > HTTP/1.1 302 Found > Cache-Control: no-cache, no-store, must-revalidate, max-age=0 > Connection: keep-alive > Content-Length: 0 > Content-Type: text/html;charset=utf-8 > Date: Tue, 03 Feb 2015 10:50:03 GMT > Location: http://redacted.site.io/login 1) Does the above Location header names the same web site? If you are redirected to a different site, the browser will use a different set of cookies for it (as you Set-Cookie headers do not set domain for the cookie, and thus it is limited to a single site). > Server: nginx/1.6.2 (Ubuntu) > Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; > path=/; expires=Tue, 03 Feb 2015 10:55:03 -; HttpOnly 2) Is "ib" you session cookie? Is it created by Tomcat (just with a different cookie name), or by something else? 3) Generally I would expect a cookie change when a FORM challenge is issued, but the Set-Cookie header has the same cookie value as before. Thus my guess of a different site name. 4) Is the time value correct? Is client's clock correct? Comparing the Date header in the response and the cookie, it is valid for 5 minutes only. If client's clock is wrong, it may expire the cookie earlier than in 5 minutes. 5) Leaking a site name > Cookie: > ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3 > Connection: keep-alive Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session being dropped in Virtual Host in 8.0.9
2015-02-03 14:04 GMT+03:00 Rory Kelly : > Hi Chris, > > Sorry for the late reply, I wound up working from home yesterday, and access > to the server was less than ideal > I'm just gonna dump the Headers from the login get, through to when it dumps > me back out at the login. > > #response > HTTP/1.1 302 Found > Cache-Control: no-cache, no-store, must-revalidate, max-age=0 > Connection: keep-alive > Content-Length: 0 > Content-Type: text/html;charset=utf-8 > Date: Tue, 03 Feb 2015 10:50:03 GMT > Location: http://redacted.site.io/login 1) Does the above Location header names the same web site? If you are redirected to a different site, the browser will use a different set of cookies for it (as you Set-Cookie headers do not set domain for the cookie, and thus it is limited to a single site). > Server: nginx/1.6.2 (Ubuntu) > Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/; > expires=Tue, 03 Feb 2015 10:55:03 -; HttpOnly 2) Is "ib" you session cookie? Is it created by Tomcat (just with a different cookie name), or by something else? 3) Generally I would expect a cookie change when a FORM challenge is issued, but the Set-Cookie header has the same cookie value as before. Thus my guess of a different site name. (CVE-2013-2067) http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33 4) Is the time value correct? Is client's clock correct? Comparing the Date header in the response and the cookie, it is valid for 5 minutes only. If client's clock is wrong, it may expire the cookie earlier than in 5 minutes. > X-XSS-Protection: 1; mode=block > x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > ##Redirect > GET /login HTTP/1.1redacted.site.io > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: http://boyle.fern.io/login/challenge 5) Leaking a site name > Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3 > Connection: keep-alive Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session being dropped in Virtual Host in 8.0.9
Hi Chris, Sorry for the late reply, I wound up working from home yesterday, and access to the server was less than ideal I'm just gonna dump the Headers from the login get, through to when it dumps me back out at the login. ##Login #request POST /login HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://redacted.site.io/login Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 Connection: keep-alive #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Connection: keep-alive Content-Length: 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 10:52:07 GMT Location: http://redacted.site.io/login/challenge Server: nginx/1.6.2 (Ubuntu) Set-Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/; expires=Tue, 03 Feb 2015 10:57:07 -; HttpOnly X-XSS-Protection: 1; mode=block x-content-type-options: nosniff x-frame-options: SAMEORIGIN #request GET /login/challenge HTTP/1.1redacted.sitename.io Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 en-US,en;q=0.5 gzip, deflate http://redacted.sitename.io/login ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 keep-alive #response HTTP/1.1 200 OK nginx/1.6.2 (Ubuntu) Tue, 03 Feb 2015 10:47:37 GMT text/html;charset=utf-8 chunked keep-alive no-cache, no-store, must-revalidate, max-age=0 1; mode=block nosniff SAMEORIGIN ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/; expires=Tue, 03 Feb 2015 10:52:37 -; HttpOnly gzip ##Challenge #request POST /login/challenge HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://redacted.site.io/login/challenge Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 Connection: keep-alive #response HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Connection: keep-alive Content-Length: 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 10:50:03 GMT Location: http://redacted.site.io/statements Server: nginx/1.6.2 (Ubuntu) Set-Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/; expires=Tue, 03 Feb 2015 10:55:03 -; HttpOnly X-XSS-Protection: 1; mode=block x-content-type-options: nosniff x-frame-options: SAMEORIGIN #Request for /statements #request GET /statements HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://redacted.site.io/login/challenge Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836 Connection: keep-alive #response HTTP/1.1 302 Found Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Connection: keep-alive Content-Length: 0 Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 10:50:03 GMT Location: http://redacted.site.io/login Server: nginx/1.6.2 (Ubuntu) Set-Cookie: ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/; expires=Tue, 03 Feb 2015 10:55:03 -; HttpOnly X-XSS-Protection: 1; mode=block x-content-type-options: nosniff x-frame-options: SAMEORIGIN ##Redirect GET /login HTTP/1.1redacted.site.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://boyle.fern.io/login/challenge Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3 Connection: keep-alive HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Connection: keep-alive Content-Encoding: gzip Content-Type: text/html;charset=utf-8 Date: Tue, 03 Feb 2015 11:02:06 GMT Server: nginx/1.6.2 (Ubuntu) Set-Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3; path=/; expires=Tue, 03 Feb 2015 11:07:06 -; HttpOnly Transfer-Encoding: chunked X-XSS-Protection: 1; mode=block x-content-type-options: nosniff x-frame-options: SAMEORIGIN Kind Regards, Rory -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 January 2015 17:18 To: Tomcat Users List Subject: Re: Session being dropped in Virtual Host in 8.0.9 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rory, On 1/30/15 11:01 AM, Rory Kelly wrote: > I apologise in advance if the formatting is ab
Re: Session being dropped in Virtual Host in 8.0.9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rory, On 1/30/15 11:01 AM, Rory Kelly wrote: > I apologise in advance if the formatting is absolutely terrible. Actually, it was totally readable ;) >> Are you using cookies for session-tracking? > >> Can you watch the HTTP conversation to see what's being sent back >> and forth during that workflow? LiveHttpHeaders is great for >> Firefox, and these days Chrome, Firefox, and IE have something >> similar built-into them. > >> From the looks of it, the cookie is storing the session ID. > Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35 GMT > Content-Type - text/html;charset=utf-8 Transfer-Encoding - chunked > Connection - keep-alive Cache-Control - no-cache, no-store, > must-revalidate, max-age=0 X-XSS-Protection - 1; mode=block > x-content-type-options - nosniff x-frame-options - SAMEORIGIN > Set-Cookie - > ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a; > path=/; expires=Fri, 30 Jan 2015 15:57:35 -; HttpOnly > Content-Encoding - gzip Everything in the HTTP requests seem fine, > except the response from my POST at the Challenge point, where, > instead of a 200, I'm receiving a 302. This is what tipped me off > that it was the session that was causing the issue. This is only one response from the server, and it's not clear what the request was. Can you post: 1. Request to protected resource (and response) 2. Request to login page (and response) 3. Request which is the submission of the login form (and response) ... and it sounds like here is where the session is lost 4. The next request, which evidently has lost the session (and response) >> field... or at least whatever your clients DNS will resolve to >> your server. That may actually be "virtual1" but I just thought >> I'd mention it. It shouldn't have any >bearing on the >> session-handling, unless your web application switches hostnames >> by telling a client requesting "virtual1" that it should redirect >> to >"testsitex.site.io" or vice-versa. > > I went ahead and changed this as well, as it does seem like a good > practice to use. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy7ysAAoJEBzwKT+lPKRYvhIQAKyd2NgVsXPYh83RfvEGneW2 jKvc1BwRZMntweaFFX8mJ8jih+eLncTZlYo2OyqyUGYfiZS54us+yjUh11UmAVZx Qpb9nGDL2YRnM5yTyyYxW2FRXzzwexIvIkGj9w/DoBbiNh8PMWhZxTKXX/X9xsqL pPJrRxufz7bIzwLmfk3zxwwRXLtip5nhU+EHOOPn0rIs3w6kt7C87D/oLnLp/MOc sfLTcNy/espidpAs2O4KNtrCYZ4Ou8+EoW+KKBYyAtlmd4kQgPG5tPfSR/2FM0Ji mk+mfnJ3eoYcjeIapmLajvZ10zrNWSsrlmxdo0KTnxss9cnZ7C/lKmdy2HsS3bYF Hm1i30GTtvZRLgEZjpinGRck+4QDZSuSLwNdirbex7oSzyxC88UviRvPjMq+bvcR wfbFYuE6GplSKKmWWj3a4slcdEsXEguvtVPCHdSBmn5/lWxbTRmw68khKV8yhzbQ hO5eQoErK0ZoijmwxNSjZRcxJMPpgPzN+JtH8Rq/4L19JAdEqJCvWOPU86/iqr1i uebkQCDYYXyAtrTClcB8vJ5kiBHfcYuy11O8uPQvv097QFEMHXbimYTmgDlPBYDz vtRHAdirjm7393Lp8ko9cn4yeFlsyVHJocbMWADWIB+1cpDfGfDPA0dFwqE2HU4b IMuJLhaHW22aHIn5OIHu =KoLf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session being dropped in Virtual Host in 8.0.9
Hi Chris, I apologise in advance if the formatting is absolutely terrible. >Are you using cookies for session-tracking? >Can you watch the HTTP conversation to see what's being sent back and forth >during that workflow? LiveHttpHeaders is great for Firefox, and these days >Chrome, Firefox, and IE have something similar built-into them. >From the looks of it, the cookie is storing the session ID. Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35 GMT Content-Type - text/html;charset=utf-8 Transfer-Encoding - chunked Connection - keep-alive Cache-Control - no-cache, no-store, must-revalidate, max-age=0 X-XSS-Protection - 1; mode=block x-content-type-options - nosniff x-frame-options - SAMEORIGIN Set-Cookie - ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a; path=/; expires=Fri, 30 Jan 2015 15:57:35 -; HttpOnly Content-Encoding - gzip Everything in the HTTP requests seem fine, except the response from my POST at the Challenge point, where, instead of a 200, I'm receiving a 302. This is what tipped me off that it was the session that was causing the issue. >You might want a fully-qualified host name in the host's "name" >field... or at least whatever your clients DNS will resolve to your server. >That may actually be "virtual1" but I just thought I'd mention it. It >shouldn't have any >bearing on the session-handling, unless your web >application switches hostnames by telling a client requesting "virtual1" >that it should redirect to >"testsitex.site.io" or vice-versa. I went ahead and changed this as well, as it does seem like a good practice to use. Kind Regards, Rory - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session being dropped in Virtual Host in 8.0.9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rory, On 1/30/15 6:08 AM, Rory Kelly wrote: > I’m having a lot of trouble with maintaining a session in a Virtual > Host environment on 8.0.9. I installed Tomcat through apt-get on an > Ubuntu 14.04 server > > My application is a JRuby padrino bundled with Warbler, with 2 > steps for logging in, a login page and a challenge page. > > The session persists from Login through to challenge, but appears > to be dropped without any errors or warnings when I try to proceed > from the Challenge page. > > I configured the virtual host using the following format: > > autoDeploy="true"> className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="test_access_log" suffix=".txt" pattern="%h > %l %u %t "%r" %s %b" /> testsitex.site.io > > > No other configuration was done to the server. You might want a fully-qualified host name in the host's "name" field... or at least whatever your clients DNS will resolve to your server. That may actually be "virtual1" but I just thought I'd mention it. It shouldn't have any bearing on the session-handling, unless your web application switches hostnames by telling a client requesting "virtual1" that it should redirect to "testsitex.site.io" or vice-versa. > When I run the site on my local Windows environment without > Virtual Hosting, the session is maintained and I can log in. Is > there something else I need to configure to ensure that the session > is being maintained? Are you using cookies for session-tracking? Can you watch the HTTP conversation to see what's being sent back and forth during that workflow? LiveHttpHeaders is great for Firefox, and these days Chrome, Firefox, and IE have something similar built-into them. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy5KNAAoJEBzwKT+lPKRYgnMP/2jDnAFvf0ga8DH+p6GMkyE0 uETGMF4TvWIIibavAqoRnFvNqVBFOkJDFKZGOc1rb2pBfD+LN+zPMQ5sAKyNRCYH mA/zBUGkyOLgIaM5oB9RWBGu4MrLs0YNelQSxlLrFUAp0GBt66y9Gc6EQWuk6zqf JqT1b1elHRqLeFChVhMBRABGC14u+czycgF9gy7WcDw5PwvYCyOY9yIYf+R0mkXc GExE9h9H/emUS5RtiuHrtgPXIhAOeleahiTCCj0TZbvpGb7axaOrR6aUutpbwNB5 JyFr1w86B2eQARlGBZ55JDi8NfiZaj+Cdarwos1od0bL5FHlTh7L5qEJDSC8RTAm HU68A5LvrAho+9Er4zGyOHUfcfdSGD/nEcX8Aqk5PpKjKjo3MZfuOa8/PqvMe8c8 02bRsXcj4AlImO70em/wHzeonnbnmRcm+wDN1f06s4lIlO93IFY24SBj+yP7kRds yV/pqcGVnZqcubUWxBq8KuBumVzX3GyLj6SzmKYVHY/g8UTOIaoA2H+yZ0bHTSwn XjAPN2R2vX+CaqWr/xsrl7Qh05CC+ugCpgTGy2xQamTgOiM0HmENvE5gdTpCxgZs bGm3lgT11CvgJybsQidfcTwzhp9JOuEyz7xP+bbA189OpFatR/kaMCUt5nsdKRg8 TUFjhv9QtjxXhsRVGR3U =qgxw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session being dropped in Virtual Host in 8.0.9
Hi, I’m having a lot of trouble with maintaining a session in a Virtual Host environment on 8.0.9. I installed Tomcat through apt-get on an Ubuntu 14.04 server My application is a JRuby padrino bundled with Warbler, with 2 steps for logging in, a login page and a challenge page. The session persists from Login through to challenge, but appears to be dropped without any errors or warnings when I try to proceed from the Challenge page. I configured the virtual host using the following format: testsitex.site.io No other configuration was done to the server. When I run the site on my local Windows environment without Virtual Hosting, the session is maintained and I can log in. Is there something else I need to configure to ensure that the session is being maintained? Thanks, R Kelly
