2013/12/3 at.silk <at.s...@everis.com>: > Hi, > > I contact you to talk about an exception we receive in a Tomcat class. Few > days ago we get an error in an application integrated with Tomcat. We have > tried to get information about it but we don't find any solution, so we would > like to know if you are aware about this issue. > > First we describe our scenario: > 1. User logs in the portal and remain static for more than 30 minutes (30 > minutes is session expiration time). > 2. Afterwards, he refreshes the webpage and session has been expired. > 3. During the page reloading, an error occurs while executing the > "parseSessionSslId" method because the "SSLSupport.SESSION_ID_KEY" is empty. > 4. A blank page is displayed because the error is not caught. > > The exception produced during step 3 belongs to this section: > [org\apache\catalina\connector\CoyoteAdapter.java] > Method parseSessionSslId: > > request.setRequestedSessionId(request.getAttribute(SSLSupport.SESSION_ID_KEY).toString()); > request.setRequestedSessionSSL(true); > > This is our context: > - Tomcat version: 7.0.25 > - OS: Linux distribution > - Liferay 6.1GA1 portal integrated with Tomcat > - We don't negotiate user session by the sessionid with the cookie but with > the certificate. > > Our server.xml configuration file contains the following connectors: > <Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3" > redirectPort="8443" scheme="https" secure="true" /> > <Connector URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1" > SSLEnabled="true" clientAuth="false" keystoreFile="xxx" keystorePass="yyy" > keystoreType="PKCS12" maxThreads="150" scheme="https" secure="true" > sslProtocol="TLS"/>
1. Is Tomcat accessed via AJP or HTTPS ? 2. What is in front of Tomcat? An Apache HTTPD server? How mod_jk is configured there? Is Apache HTTPD accessed via HTTPS? Is mod_jk configured to pass SSL_SESSION_ID to Tomcat? http://tomcat.apache.org/connectors-doc/reference/apache.html SSLOptions +StdEnvVars JkExtractSSL On 3. How <session-config> is configured in WEB-INF/web.xml of your web applications and in the shared $CATALINA_BASE/conf/web.xml file? I expect that you have <tracking-mode> configured in one of those files. Are you able to identify what web application is being requested here? (E.g. by looking into the access log)? > Conclusion: > The exception is raised when the session id is empty due to we have an > expired session. We have compiled this code section with a try catch and now > our application does not receive the error, and we can see our page > displayed, obviously with session expired. 4. A full stacktrace = ? > Do you think this could be due to some local configuration or is it a general > issue? > Is there the possibility to contemplate this case to be protected when > sessionId is null? > If an application is configured to use ssl session as its session identifier, and no ssl session is available, how do you expect it to behave? I looks that one adds a try/catch there, the application will create a new session with every request. Are you OK with that? 5. I do not see how 30 minutes can come into a play here. With my guesses above an application should have failed with the first request. Is some form of single-sign-on configured between applications? Is 30 minutes the expiration time from single-sign-on (and not from webapp's session)? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
