Re: Wrong SessionID
Hi Uwe Great news - it took us days to find this on our intranet. It wasn't helped by the fact that only one of our call centre operators had the problem, and she worked in a centre 400km away. It turned out that her desktop always had a particular SAP application open plus one of ours. I sure did learn a lot about cookies and useful Firefox plugins in the process. If you don't already have it, WebDeveloper is great. Regards Ron - Original Message - From: "Poehner, Uwe" To: "Ron McNulty" ; "Tomcat Users List" Sent: Thursday, July 23, 2009 4:17 AM Subject: AW: Wrong SessionID Hi Ron, thanks a lot! I'm pretty sure that's our problem and I already found some SAP J2EE Application Servers on our intranet with such a JSESSIONID "(J2EE...)ID...End" and (Cookie) Domain instead of Host configured (still right configured). So I will continue to search for the evil one ... Best Regards Uwe -Ursprüngliche Nachricht- Von: Ron McNulty [mailto:rmcnu...@xtra.co.nz] Gesendet: Mittwoch, 22. Juli 2009 11:09 An: Tomcat Users List Betreff: Re: Wrong SessionID Hi Uwe I've seen something very similar when a SAP server was incorrectly configured to produce a JSESSIONID cookie that was global to the organisation, rather than scoped to the server that produced it. The "(J2EE13679500)" and "End" parts of the session ID look suspiciously like what I saw. The only fix was to correctly configure the offending server - there is nothing Tomcat can do. When a browser has two cookies with the same name in scope, the outcome is indeterminate. We found that the wider scoped cookie took precedence. I've often thought the name of the JSESSIONID cookie should be configurable, but to my knowledge it is hard-coded. If this is the problem, then it is your client's problem (unless you are seeing it from inside your intranet). Regards Ron - Original Message ----- From: "Poehner, Uwe" To: Sent: Wednesday, July 22, 2009 3:26 AM Subject: Wrong SessionID Hello, our tomcat servers seem to produce very sporadically a wrong JsessionID - instead of 58EB1F9C39278DBB72528A13EF026EFB.bsp01 we get (J2EE13679500)ID0574993050DB11991779031281660559End (without a dot-jvmroute) so we lose stickyness and our session. Our environment (Hardware Loadbalancer -> 2 Apache Servers -> 2 Tomcat Servers): Solaris 10 8/07 Apache/2.2.6 with mod_proxy_ajp, mod_proxy_balancer, ... Tomcat 5.5.23 with JDK 1.5.0_12-b04 Does anybody have an idea? Thanks and Regards Uwe - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Wrong SessionID
Hi Ron, thanks a lot! I'm pretty sure that's our problem and I already found some SAP J2EE Application Servers on our intranet with such a JSESSIONID "(J2EE...)ID...End" and (Cookie) Domain instead of Host configured (still right configured). So I will continue to search for the evil one ... Best Regards Uwe > -Ursprüngliche Nachricht- > Von: Ron McNulty [mailto:rmcnu...@xtra.co.nz] > Gesendet: Mittwoch, 22. Juli 2009 11:09 > An: Tomcat Users List > Betreff: Re: Wrong SessionID > > Hi Uwe > > I've seen something very similar when a SAP server was incorrectly > configured to produce a JSESSIONID cookie that was global to the > organisation, rather than scoped to the server that produced it. The > "(J2EE13679500)" and "End" parts of the session ID look > suspiciously like > what I saw. > > The only fix was to correctly configure the offending server > - there is > nothing Tomcat can do. When a browser has two cookies with > the same name in > scope, the outcome is indeterminate. We found that the wider > scoped cookie > took precedence. I've often thought the name of the > JSESSIONID cookie should > be configurable, but to my knowledge it is hard-coded. > > If this is the problem, then it is your client's problem > (unless you are > seeing it from inside your intranet). > > Regards > > Ron > > - Original Message - > From: "Poehner, Uwe" > To: > Sent: Wednesday, July 22, 2009 3:26 AM > Subject: Wrong SessionID > > > Hello, > > our tomcat servers seem to produce very sporadically a wrong > JsessionID - > instead of 58EB1F9C39278DBB72528A13EF026EFB.bsp01 > we get (J2EE13679500)ID0574993050DB11991779031281660559End (without a > dot-jvmroute) so we lose stickyness and our session. > > Our environment (Hardware Loadbalancer -> 2 Apache Servers -> > 2 Tomcat > Servers): > Solaris 10 8/07 > Apache/2.2.6 with mod_proxy_ajp, mod_proxy_balancer, ... > Tomcat 5.5.23 with JDK 1.5.0_12-b04 > > Does anybody have an idea? > > > Thanks and Regards > Uwe > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Wrong SessionID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ron, On 7/22/2009 5:09 AM, Ron McNulty wrote: > The only fix was to correctly configure the offending server - there is > nothing Tomcat can do. When a browser has two cookies with the same name > in scope, the outcome is indeterminate. We found that the wider scoped > cookie took precedence. I've often thought the name of the JSESSIONID > cookie should be configurable, but to my knowledge it is hard-coded. As Mark points out, this is configurable in 6.0.19. When multiple JSESSIONID cookies exist, Tomcat will try them, one at a time, until it finds one that matches a valid session in the container, so multiple JSESSIONID cookies shouldn't be a problem. If you call request.getRequestedSessionId() and it did not produce a valid session, then the session id will appear to be wonky. It would be better to call request.getSession().getId() to be sure you're really using the right session id. Uwe, are you seeing this strange JSESSIONID in the request headers (via an HTTP sniffer) or are you accessing this id through the API? I'm wondering if you are drawing an improper conclusion. You weren't specific about the circumstances so it's tough to diagnose. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpnHbgACgkQ9CaO5/Lv0PCHCgCggHT5n24kbfwJ9hQyWFu577j6 eTMAoKefxgqhEWaLl08+yfvFxZrGXz4p =BsM8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Wrong SessionID
Ron McNulty wrote: > The only fix was to correctly configure the offending server - there is > nothing Tomcat can do. When a browser has two cookies with the same name > in scope, the outcome is indeterminate. We found that the wider scoped > cookie took precedence. I've often thought the name of the JSESSIONID > cookie should be configurable, but to my knowledge it is hard-coded. As of 6.0.19 it is configurable. http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Wrong SessionID
Hi Uwe I've seen something very similar when a SAP server was incorrectly configured to produce a JSESSIONID cookie that was global to the organisation, rather than scoped to the server that produced it. The "(J2EE13679500)" and "End" parts of the session ID look suspiciously like what I saw. The only fix was to correctly configure the offending server - there is nothing Tomcat can do. When a browser has two cookies with the same name in scope, the outcome is indeterminate. We found that the wider scoped cookie took precedence. I've often thought the name of the JSESSIONID cookie should be configurable, but to my knowledge it is hard-coded. If this is the problem, then it is your client's problem (unless you are seeing it from inside your intranet). Regards Ron - Original Message - From: "Poehner, Uwe" To: Sent: Wednesday, July 22, 2009 3:26 AM Subject: Wrong SessionID Hello, our tomcat servers seem to produce very sporadically a wrong JsessionID - instead of 58EB1F9C39278DBB72528A13EF026EFB.bsp01 we get (J2EE13679500)ID0574993050DB11991779031281660559End (without a dot-jvmroute) so we lose stickyness and our session. Our environment (Hardware Loadbalancer -> 2 Apache Servers -> 2 Tomcat Servers): Solaris 10 8/07 Apache/2.2.6 with mod_proxy_ajp, mod_proxy_balancer, ... Tomcat 5.5.23 with JDK 1.5.0_12-b04 Does anybody have an idea? Thanks and Regards Uwe - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Wrong SessionID
Hello, our tomcat servers seem to produce very sporadically a wrong JsessionID - instead of 58EB1F9C39278DBB72528A13EF026EFB.bsp01 we get (J2EE13679500)ID0574993050DB11991779031281660559End (without a dot-jvmroute) so we lose stickyness and our session. Our environment (Hardware Loadbalancer -> 2 Apache Servers -> 2 Tomcat Servers): Solaris 10 8/07 Apache/2.2.6 with mod_proxy_ajp, mod_proxy_balancer, ... Tomcat 5.5.23 with JDK 1.5.0_12-b04 Does anybody have an idea? Thanks and Regards Uwe - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
