Hi, in helping a colleague diagnose another problem for another servlet, I was using PsiProbe, and I noticed that it has session diagnostics. Doh! I promptly fired up PsiProbe on my Tomcat server, returning to this JSESSIONID issue, and watched the session get created as part of a password challenge page, and one thing jumped out at me: The session attribute we are creating to hold the flag to indicate the session is "interrupted"... is not serializable... which I think means that, when the new session is created as part of session fixation protection, the "interrupted" flag won't transfer to the new session.
So... I *think* what I might need to do is set a maker for our request class that it implements Serializable. http://stackoverflow.com/questions/7444463/how-do-i-make-the-session-data-serializable I'll let you know if this works out. --Hardy ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, September 10, 2015 10:39 AM To: Tomcat Users List Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark, On 9/9/15 9:43 PM, Pottinger, Hardy J. wrote: > It doesn't matter which Authenticator is installed, they all behave > the same way. The user name from httpd is used to populate the > remote user name and the user principal and the user principal > being set is what bypasses most of the authentication code. > > All of the authenticators will cache the Principal in the session > if one exists but none of them (apart from FORM) should ever create > one. > > The authenticator you will get will depend on whatever is in > web.xml. So, it looks like there is no auth-type specified in web.xml, so what does the app get? It looks like *something* is in there, given the stack trace provided. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8aQbAAoJEBzwKT+lPKRY5oIQAIoGHHBsxESORGC/Nsaa5O5O 8I2SL6iHcmjw8d8SE8pVGuY6B4W0w49LMy2px3bar5Z8NMwrWGDwj9s01H0+lN6b f7ZtmZsfLTFGmlpOqkpcHqhSsedO8NqEIO3/e84nwKKtbOQFdragJ48qkJ/oYk4w /PMjAosH2kE/egwXHg2dGzy5WCox91CI2f/4JZjXlsrZikEErMdqS9zoYAUt7tlD JFUrcSey9T0V0JfoqSv0CTV2kRtI/B2LcOuh5eQqyUks2mQvb08BKPoGp1PM4DjK 1sX7IpTUurc8eGsDSBSd/wciUU47bhPmK1YmyN3EwqxIGsN82C2EVe+t/N3gFhoe PiUtofF3nwOCfSHPUiiNnTpHYIetgNUpCkdbmnwgV1dEvWTyWCCMWvIoPAztozkO zIz2Qr6K5Lyy2no5+zPpOdipeMlZ5rXvEXBDFGpmtmlAKwphcz1/SxNV+YDgqmnT KHcorZ/oltH/qyAPWZeu8/Hu6tQgb9Ua8kAayE0sK38grXI7kJHNlQyPldxYZjKB TG2IGQd46XyJKSt6nA53hmbMPFhIwPl2MvgLzQ5j7lrlO64TCaCRtQwi9pCjRGHL d/BWRVPXEABRdIKoxG/beFRaob/h4TkIvcOChqUe+lHJ+/3NGjQLmhVSFYseCFbK eyK7kji4cGdJF5iH3Ayn =J6nA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org