Martin, We have the cookie config in the application.
<session-config> <session-timeout>20</session-timeout> <cookie-config> <path>/</path> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Thanks, Prasanth On 05/15/2018 04:03 PM, Martin Gainty wrote: > > 8443 indicates secure connection so perhaps a misconfig with wildfly > standalone.xml (see below) > > <servlet-container name="pasala"> > <session-cookie http-only="true" secure="true"/> <!-- enable secure cookies > with secure = true --> > > <jsp-config/> > </servlet-container> > > https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration > Admin Guide - WildFly 10 - Project Documentation Editor > <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration> > docs.jboss.org > Target audience. This document is a guide to the setup, administration, and > configuration of WildFly. Prerequisites. Before continuing, you should know > how to download, install and run WildFly. > > ? > > can you ping wildfly userlist ? > https://developer.jboss.org/en/wildfly > Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly> > developer.jboss.org > Log in to follow, share, and participate in this community. Not a member? > Join Now! > > > jaikiran is a good resource that i met on a different userlist..i would > definitely ping him > stay in touch/let me know if setting session-cookie in standalone.xml works > > M- > NB: I once contracted to the company that bought wildfly..we had to figure > configuration by ourselves > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > *From:* Prasanth Pasala <[email protected]> > *Sent:* Tuesday, May 15, 2018 11:42 AM > *To:* [email protected] > *Subject:* Re: Struts2 login action class seems to be reused > > See below the header information when the exception occurred. Strange thing > is JMeter is saying it did not send any cookie (which is want I would except > in this case as it is just requesting the login > page) > > Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx > (xxxxxx - is the machine name on which wildfly is running) > Connection: keep-alive > User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) > Host: dev.secure.xxxxxxxxxxx.com:8443 > Content-Length: 46 > Content-Type: application/x-www-form-urlencoded > > 10:09:09,150 ERROR > [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default > task-20) Exception occurred during processing request: UT000010: Session is > invalid > ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: > UT000010: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ > > ------------From JMeter--------------------------------------------------- > GET https://dev.secure.pangburngroup.com:8443/participant/ > > GET data: > > > [no cookies] > > Request Headers: > Connection: keep-alive > Host: dev.secure.xxxxxxxxxxx.com:8443 > User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) > ------------------------------------------------------------------------------ > > Thanks, > Prasanth > > On 05/15/2018 07:44 AM, Martin Gainty wrote: > > Hi Norbert/Prasanth > > > > Struts2 login action problem has morphed to "Invalid Session State"with > > Wildfly's implementation of TC 5.5 > > > > https://en.wikipedia.org/wiki/WildFly > > <https://en.wikipedia.org/wiki/WildFly> > > > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly > <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>> > > > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > > en.wikipedia.org > > WildFly, formerly known as JBoss AS, or simply JBoss, is an application > > server authored by JBoss, now developed by Red Hat.WildFly is written in > > Java and implements the Java Platform, Enterprise > Edition (Java EE) specification. > > > > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > > > http://livehttpheaders.mozdev.org/ <http://livehttpheaders.mozdev.org/> > > > > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> > > livehttpheaders.mozdev.org > > Welcome to the livehttpheaders project.. The goal of this project is to > > adds information about the HTTP headers in two ways: First by adding a > > 'Headers' tab in 'View Page Info' of a web page. > > > > > > MG>then check JSESSIONID > > > > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID > > MG>and corrected with his own StandardManager findSession method > > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ > > > > Yes, there is! I found it and implemented this solution: A class > > extending org.apache.catalina.session.StandardManager and overriding > > the method public Session findSession(String id) throws IOException - > > simply removing quotation marks, if any! Seems to work fine. > > Thanks for putting me on the right trail! > > > > MG>assuming your TC has incorrect StandardManager can you update wildfly > > with a more updated version? > > MG>here are versions > > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t > > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t> > > developer.jboss.org > > What version of Apache Tomcat ships with JBoss Application Server JBossAS > > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and > > getting jboss-web container > > > > hth > > martin > > ______________________________________________ > > > > > > > > > > ________________________________ > > From: Norbert Hirneisen <[email protected]> > > Sent: Friday, March 2, 2018 6:55 PM > > To: [email protected] > > Subject: Fwd: Re: Struts2 login action class seems to be reused > > > > Hi Prasanth, > > > > are you sure all your struts1 code is thread safe ? I had some similiar > > problems in a struts1 application. After removing all action class > > properties the problem was solved. Struts2 should be thread safe. But > > your problems looks to me like a problem with thread safety. > > > > Best regards, > > > > Norbert > > > > science + communication & HaNo Systems > > > > Bonn/Ho-Chi-Minh > > > > > > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: > >> I was able to replicate the issue today. Asked few users to keep logging > >> in and ran jmeter to access login page, with out putting any username or > >> password. Out of the 100 attempts 2 attempts were > >> successful in getting in with out username/password. I am seeing database > >> login entries for these two. Which would happen only if a valid session is > >> not present and user has provided > username/password. > >> > >> Thanks, > >> Prasanth > >> > >> On 03/01/2018 02:27 PM, Prasanth wrote: > >>> Hi, > >>> > >>> I have an application which uses both struts1 & struts2. The login action > >>> was recently moved to struts2. Immediately after the deployment we were > >>> notified that one user is seeing a different user > >>> information, so we had to move to older war files. I am not able to > >>> replicate it. But after investigating the logs it seems like couple users > >>> were logged in as soon as they requested the login page. > >>> For the database entry to happen it has to verify the username and > >>> password in the action class, but the fact that there is no POST entry at > >>> that time from that IP in my access log makes me believe > >>> that the action class some how already had that information from a prior > >>> user. > >>> > >>> I do have a login filter to check if users are logged in when accessing > >>> other pages. In this filter I have the below two lines, we had to do this > >>> as we will have requests forwarded from one > >>> application to another and when that happens we are getting class cast > >>> exception for ActionMapping class and valueStack. Not sure if the > >>> behavior is a side effect of having the below lines. > >>> > >>> request.setAttribute("struts.actionMapping", new > >>>ActionMapping()); > >>> request.setAttribute("struts.valueStack", null); > >>> > >>> We are using Struts 2.3.34 and Wildfly. > >>> > >>> Appreciate any insights you might have. > >>> > >>> Thanks, > >>> Prasanth > >>> > >>> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
![https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly){kind=link}