On 08.01.2016 10:07, Thomas Scheffler wrote:
Hi,
I have a very rare problem regarding session handling. It is reproducible only
on a single
server environment. Of cause this is the productive server.
I use container authentication and for simplicity 'tomcat-user.xml'.
Login is done via HttpServletRequest.login() method, whenever I need to access
user and
role information. The HttpServletRequest is saved in a ThreadLocal during
request processing.
While that normally does the job. There is one servlet that produces simple
thumbnails
that triggers a problem. Session handling is done via Cookies.
A search result page lists several thumbnail images and the browser tries to
load them (of
cause) in parallel.
After the first thumbnail is loaded, the sessionId suddenly changes. As the
browser now
submitting the "false" sessionId, new sessions are created and the browser gets
that new
sessionId in the response. The session from the first request is lost at that
point and so
are the login credentials.
Why are sessionIds changing during the request?
Here are the logs I produce via a Servlet Filter:
[snip]
Hi Thomas.
It is a bit difficult to figure out where the problem really is, without having the full
picture of what is going on (your web.xml configuration, the order and precise timing in
which requests really happen etc.).
But one thing I would really focus on, is the general overall logic of the application, to
see if the order in which things happen is really consistent with the authentication
method that you are using.
For example, if the initial call to the first page (the one which contains the document
links) does not immediately trigger a session authentication, and in the meantime the
browser starts making multiple quasi-simultaneous requests for the links present in that
page, then things would get out of sync, since when the authentication does happen, the
session-id /will/ change (check Wikipedia for "web session fixation"). That would
overwrite the session-id cookie, perhaps in the middle of the calls still being made to
retrieve the document links mentioned in the page.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
