Luke McMahon wrote: > Thanks again P, Can you include the source of
/index.html and /members/index.html (is it html or JSP?) p > Yeah I actually already had the meta tags at the top, and modified everything > to match your example exactly. I also tried using separate login and error > pages with no noticeable difference. > Here are the http responses to the member page GET. I'm not well versed in > this stuff, but it seems like the cache-control info is ok but it thinks the > page has not been modified when the re-login fails: > > > Success: > --------------------- > http://localhost:8080/members/ > > GET /members/ HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) > Gecko/20070725 Firefox/2.0.0.6 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://localhost:8080/members/ > Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746 > Cache-Control: max-age=0 > > HTTP/1.x 200 OK > Server: Apache-Coyote/1.1 > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 10:00:00 EST > Etag: W/"2807-1188956843361" > Last-Modified: Wed, 05 Sep 2007 01:47:23 GMT > Content-Type: text/html > Content-Length: 2807 > Date: Wed, 05 Sep 2007 02:03:55 GMT > > > > Failure: > ----------------------------- > http://localhost:8080/members/ > > GET /members/ HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) > Gecko/20070725 Firefox/2.0.0.6 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://localhost:8080/members/ > Cookie: JSESSIONID=FF03B0286AA97B1A603A05A1E402728D > Cache-Control: max-age=0 > > HTTP/1.x 304 Not Modified > Server: Apache-Coyote/1.1 > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 10:00:00 EST > Etag: W/"2807-1188956843361" > Date: Wed, 05 Sep 2007 02:04:23 GMT > > > > > >> Date: Wed, 5 Sep 2007 09:46:53 +0100 >> From: [EMAIL PROTECTED] >> To: users@tomcat.apache.org >> Subject: Re: Problem with form based JSP authentication using Firefox with >> Tomcat >> >> Are you saying you tried what I suggested, or that you have already >> tried it? It seems like the problem is a caching issue to me. >> >> What URL are you trying to access to trigger the login - you're not >> accessing the login.jsp directly are you? (I have to ask...) >> >> >> In the second instance the browser is setting JSESSIONID as a cookie, >> instead of as a URL parameter, but that shouldn't make a difference. >> The response.encodeURL method only encodes the URL with JSESSIONID if it >> can't see the same value in a cookie in the request. >> >> The value of JSESSIONID *may* change with each new session, but it won't >> be created until you hit a JSP. So the first time it's only created >> when you hit login.jsp, where it's encoded in the URL because no >> previous session id was found in the URL or cookie. >> >> The cookie still exists locally after you logout, until you close the >> browser down, so it's not added to the URL the second time round, but as >> the existing ID is an invalid session it triggers the authentication valve. >> >> >> >> You should compare the server response headers rather than the request >> headers, to see if the server is correctly sending the Cache-Control info. >> >> >> >> p >> >> >> >> >> >> >> >> Luke McMahon wrote: >>> Thanks p (hope this is formatted better!) >>> >>> I tried this without success. I've attached the livehttpheader output >>> below. What seems to happen in Firefox is the first time I go to the login >>> page, it passes the jsessionid to j_security_check. >>> If I then invalidate the session, and go to log in again, it calls >>> j_security_check without this identifier. This might be why I'm not getting >>> redirected to the member page, but I'm not sure of that. >>> Like I said, this works fine in IE, but firefox still seems to either be >>> losing its bundle after the session is invalidated or incorrectly caching >>> the login page as the member page I'm trying to access. >>> >>> I've just cut and pasted the differences between the headers of the >>> successful login, and the unsuccessful login (ie. no redirect). >>> >>> Success: >>> --------------------------------- >>> http://localhost:8080/members/ >>> >>> GET /members/ HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) >>> Gecko/20070725 Firefox/2.0.0.6 >>> Accept: >>> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> Accept-Language: en-us,en;q=0.5 >>> Accept-Encoding: gzip,deflate >>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>> Keep-Alive: 300 >>> Connection: keep-alive >>> Referer: http://localhost:8080/index.htm >>> >>> Failure: >>> ------------------------------------ >>> http://localhost:8080/members/ >>> >>> GET /members/ HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) >>> Gecko/20070725 Firefox/2.0.0.6 >>> Accept: >>> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> Accept-Language: en-us,en;q=0.5 >>> Accept-Encoding: gzip,deflate >>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>> Keep-Alive: 300 >>> Connection: keep-alive >>> Referer: http://localhost:8080/index.htm >>> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746 >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
smime.p7s
Description: S/MIME Cryptographic Signature