-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rory,
On 1/30/15 11:01 AM, Rory Kelly wrote: > I apologise in advance if the formatting is absolutely terrible. Actually, it was totally readable ;) >> Are you using cookies for session-tracking? > >> Can you watch the HTTP conversation to see what's being sent back >> and forth during that workflow? LiveHttpHeaders is great for >> Firefox, and these days Chrome, Firefox, and IE have something >> similar built-into them. > >> From the looks of it, the cookie is storing the session ID. > Server - nginx/1.6.2 (Ubuntu) Date - Fri, 30 Jan 2015 15:52:35 GMT > Content-Type - text/html;charset=utf-8 Transfer-Encoding - chunked > Connection - keep-alive Cache-Control - no-cache, no-store, > must-revalidate, max-age=0 X-XSS-Protection - 1; mode=block > x-content-type-options - nosniff x-frame-options - SAMEORIGIN > Set-Cookie - > ib=da7f36e0f53827383a262940d2f75fcef8bbb32b57bd3fced7149ae6a8bf4e3a; > path=/; expires=Fri, 30 Jan 2015 15:57:35 -0000; HttpOnly > Content-Encoding - gzip Everything in the HTTP requests seem fine, > except the response from my POST at the Challenge point, where, > instead of a 200, I'm receiving a 302. This is what tipped me off > that it was the session that was causing the issue. This is only one response from the server, and it's not clear what the request was. Can you post: 1. Request to protected resource (and response) 2. Request to login page (and response) 3. Request which is the submission of the login form (and response) ... and it sounds like here is where the session is lost 4. The next request, which evidently has lost the session (and response) >> field... or at least whatever your clients DNS will resolve to >> your server. That may actually be "virtual1" but I just thought >> I'd mention it. It shouldn't have any >bearing on the >> session-handling, unless your web application switches hostnames >> by telling a client requesting "virtual1" that it should redirect >> to >"testsitex.site.io" or vice-versa. > > I went ahead and changed this as well, as it does seem like a good > practice to use. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy7ysAAoJEBzwKT+lPKRYvhIQAKyd2NgVsXPYh83RfvEGneW2 jKvc1BwRZMntweaFFX8mJ8jih+eLncTZlYo2OyqyUGYfiZS54us+yjUh11UmAVZx Qpb9nGDL2YRnM5yTyyYxW2FRXzzwexIvIkGj9w/DoBbiNh8PMWhZxTKXX/X9xsqL pPJrRxufz7bIzwLmfk3zxwwRXLtip5nhU+EHOOPn0rIs3w6kt7C87D/oLnLp/MOc sfLTcNy/espidpAs2O4KNtrCYZ4Ou8+EoW+KKBYyAtlmd4kQgPG5tPfSR/2FM0Ji mk+mfnJ3eoYcjeIapmLajvZ10zrNWSsrlmxdo0KTnxss9cnZ7C/lKmdy2HsS3bYF Hm1i30GTtvZRLgEZjpinGRck+4QDZSuSLwNdirbex7oSzyxC88UviRvPjMq+bvcR wfbFYuE6GplSKKmWWj3a4slcdEsXEguvtVPCHdSBmn5/lWxbTRmw68khKV8yhzbQ hO5eQoErK0ZoijmwxNSjZRcxJMPpgPzN+JtH8Rq/4L19JAdEqJCvWOPU86/iqr1i uebkQCDYYXyAtrTClcB8vJ5kiBHfcYuy11O8uPQvv097QFEMHXbimYTmgDlPBYDz vtRHAdirjm7393Lp8ko9cn4yeFlsyVHJocbMWADWIB+1cpDfGfDPA0dFwqE2HU4b IMuJLhaHW22aHIn5OIHu =KoLf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
