Re: Session Invalidate not working on HTTPS ( Tomcat 6.0.29 )

Tue, 30 Nov 2010 05:56:33 -0800 

>> > Follows an extract form a test servlet:
>> >         HttpSession s = req.getSession();
>> >         if (s==null) {
>> >             System.out.println(mt+":Session is null");
>> >         } else {
>> >             System.out.println(mt+":Session id="+s.getId()+"\t
>> > New="+s.isNew());
>> >         }
>> >         System.out.println("pre- invalidate");
>> >         s.invalidate();
>> >         System.out.println("post- invalidate: id="+s.getId());
>> >         s = req.getSession(true);
>> >         System.out.println("post- get new: id="+s.getId());
>>
>> Okay, what does the above servlet print when you access it via HTTP, and
>> then access it via HTTPS?
>>
>
> HTTP Output:
> POST:Session id=F5FAF6115F7BA37ECDA22299C9B3B4BC     New=true
> pre- invalidate
> sessionDestroyed [F5FAF6115F7BA37ECDA22299C9B3B4BC] <-- this log is printed
> by a HttpSessionListener
> post- invalidate: id=F5FAF6115F7BA37ECDA22299C9B3B4BC
> sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by
> a HttpSessionListener
> post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>
> We can notice that the session id after the GetSession(true) is different
> from the previous one.
>
> HTTPS Output:
> POST:Session id=36BA1CCC7AEC8A9808027D57B6A5A52A     New=false
> pre- invalidate
> sessionDestroyed [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed
> by a HttpSessionListener
> post- invalidate: id=36BA1CCC7AEC8A9808027D57B6A5A52A
> sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by
> a HttpSessionListener
> post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>
> In this case the session id is always the same!
>

Do you, by a chance, have emptySessionPath=true on your Connector?

> I saw that between release 28
> and 29 the following class has been changed but i'm not able to debug it.
> java\org\apache\catalina\connector\Response.java (method
> addSessionCookieInternal)

http://wiki.apache.org/tomcat/FAQ/Developing

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to