Hi Nahor,
Nahor schrieb:
Hi,
I want my webapp to use "nice" URL for a user's homepage (e.g.
"http://server/user";).
Because of that, I need to have an empty path in the session cookie. So
far, I've been using "emptySessionPath".
However, "emptySessionPath" uses the session id from a cookie when
creating a brand new session. Beside the "session fixation"/phishing
problem, this poses problems with mod_jk load-balancing when the user
may have an old session cookie in the browser.
Let say the user has the cookie JSESSIONID=xxx.t1, i.e. managed by the
Tomcat server T1. Then the user navigates a specially formatted URL that
sends the request to another server (say the Tomcat server T2). Tomcat
then creates a new session but because of the cookie, it names it
"xxx.t1" (instead of a "yyy.t2"). From now on, all the requests will be
send to server T1 by the load-balancer and they will fail because the
session is invalid (since it was really created on T2).
So is there a way to have both session cookies with an empty path and
have tomcat use new session id?
First of all, there is a code comment in TC 6:
// FIXME: Code to be used in case route replacement is needed
/*
} else {
String jvmRoute = getJvmRoute();
if (getJvmRoute() != null) {
String requestJvmRoute = null;
int index = sessionId.indexOf(".");
if (index > 0) {
requestJvmRoute = sessionId
.substring(index + 1, sessionId.length());
}
if (requestJvmRoute != null &&
!requestJvmRoute.equals(jvmRoute)) {
sessionId = sessionId.substring(0, index) + "." + jvmRoute;
}
}
*/
So I think it would make sense to file an enhancement request in bugzilla.
Workaround idea:
A) If Tomcat gets a session cookie with an ID for which it needs to
create a new session (emptySessionPath set to true), the new session
will indeed have the requested ID, but the information that it is a new
session is available via session.isNew(), which in this case will be "true".
B) The second ingredient is determining the jvmRoute of the local node
and then checking if it is different from the suffix in the requested id.
C) The third ingredient would be either setting the id of the new
session to something different (exchanging the suffix) via a Tomcat
Valve (similar to a servlet filter, but gives some more manipulation
possibilities for Tomcat objects), or replacing the JSESSIONID cookie
with a new one with corrected id and issuing a self-referring redirect
(and also maybe deleting the no longer needed interim session).
Ad B): the jvmRoute of the local node could be determined by
- a Tomcat valve
- set the jvmRoute in your startup scripts as a system property
-DmyJvmRoute=node01, then you can put a jvmRoute="${myJvmRoute}" in
server.xml and retrieve the value of the system property myJmvRoute in
your code as usual.
Not a full solution, but combining those should work.
Thanks,
Nahor
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
