Re: a cookie question of one Server with two tomcat server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bon, Bon wrote: I've monitored the value of cookies with debug mode at server running, and the cookie values were be set to the new values. I'm not sure what effect of setting the session as invalidate and setting new cookie values, I think set session as invalidate was telling the server this session should be invalidated, and set cookies as new values was telling the client browser to set the new value to cookies, what I think as that, and I'm not sure do I right or wrong?! Calling session.invalidate() invalidates the session. The servlet specification makes no demands about deleting any cookies on the client side, so my guess is that Tomcat does not go through the trouble of sending a dead cookie back to the client. If you want to kill the cookies on the client side, you are welcome to do so. I'm just suggesting that it is not necessary to remove those cookies unless you /really/ want to. In terms of invalidating the session and getting new values afterward, consider this scenario: 1. User logs into your application and is assigned a session, which sends a JSESSIONID cookie to their browser. 2. The user logs out of your application. The session is invalidated, and your code deletes the JSESSIONID cookie by sending a JSESSIONID cookie with maxage=0 and issues a redirect to the client. 3. The client deletes the cookie due to #2 and then redirects to the new URL. 4. The new URL requires a session and so a new JSESSIONID cookie is created and sent to the client. #4 can happen a number of ways, but in my experience the most common way is to send the user to a JSP that has not yet session=false in the @page directive. In this case, the session is created whether you need it or not. Why I attempt to delete the cookie from client's machine, that is a requirement from my desinger, and I don't know why and I don't need to know(I've asked why do that before) Hah. Probably some security requirement. the redirection is a complicated linking flow, and I'm sure it was properly, because it was working well after I changed the logout URL path. Why we do that from a main site redirecte to second site and finally redirecte back to the main site, that is becausr we want the both sites to clean-up their own cookies when logout was be requested. This is reasonable. now, I still don't know why I must change the logout URL path (the URL path of cookies modifier) same as the login URL path (the URL path of cookie creator) when I was through the main site to second site, and they are at same host by different server port number. But if I just open a new browser and to request the second site logout URL(with different URL path), then the cookies of second site could be expired by this request! I'm not sure I fully understand what you're saying, here. Just to clear a few things up, cookies contain: 1. A URL path that is used to identify which URLs should get the cookie 2. A name and value 3. Expiration information Let's say you have two JSESSIONID cookies for your two applications, hosted at the same site on the same port. Here's what they might look like (values removed because they are irrelevant): Cookie 1: url=http://www.mydomain.com/first; expiration=-1; name=JSESSIONID Cookie 2: url=http://www.mydomain.com/second; expiration=-1; name=JSESSIONID Note that the cookies are identical except for the url: one says first while the other says second. If you are visiting /second, the cookie from /first will not be sent by the client. The opposite is also true for visiting /first: the cookie for /second will not be sent. If you need to remove the cookies from both sites, you'll need to either 1. Send two cookies on logout and hope that your client allows one site to expire another site's cookies (which probably won't work). or 2. Expire one cookie, then redirect to the other app and repeat the process (which is what you're doing in your application). I don't understand the logout URL and login URL need to be the same thing you're talking about above, though. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkYY3MACgkQ9CaO5/Lv0PBh3wCgk2RDEO9STFF+Za4zOjWWgFgF lQ8An1KeTHVp0b3egLe7Aj9BirrBZQf4 =jVhA -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: a cookie question of one Server with two tomcat server
Hi Christopher, Thank you for your answer, I've monitored the value of cookies with debug mode at server running, and the cookie values were be set to the new values. I'm not sure what effect of setting the session as invalidate and setting new cookie values, I think set session as invalidate was telling the server this session should be invalidated, and set cookies as new values was telling the client browser to set the new value to cookies, what I think as that, and I'm not sure do I right or wrong?! Why I attempt to delete the cookie from client's machine, that is a requirement from my desinger, and I don't know why and I don't need to know(I've asked why do that before) the redirection is a complicated linking flow, and I'm sure it was properly, because it was working well after I changed the logout URL path. Why we do that from a main site redirecte to second site and finally redirecte back to the main site, that is becausr we want the both sites to clean-up their own cookies when logout was be requested. now, I still don't know why I must change the logout URL path(the URL path of cookies modifier) same as the login URL path(the URL path of cookie creator) when I was through the main site to seconf site, and they are at same host by different server port number. But if I just open a new browser and to request the second site logout URL(with different URL path), then the cookies of second site could be expired by this request! Best regards, Bon Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bon, Bon wrote: the logout Servlet will do something as following: 1. set the cookies maxAge to 0 and add them into response again. cookie.setMaxAge(0); response.addCookie(cookie); 2. set the session to invalidate request.getSession().invalidate(); 3. response.sendRedirect(redirectTo); redirectTo is the URL of second site's logout link. then the client browser will redirect to second site's logout URL, and it is a Struts Action, and this logout Action will do something as following: 1. set the session to invalidate 2. set the cookie maxAge to 0 and add them into response again. cookies[i].setMaxAge(0); response.addCookie(cookies[i]); 3. forward to a logout default display page. 4. direct to main site some page by form submit in default logout display page. You should check to make sure that new cookies are not replacing the old cookies immediately after the invalidate() has been called. Also note that calling setMaxAge before calling invalidate() is not particularly useful: the cookie is expired when you call session.invalidate() so you can clean up your code a bit. Why are you bothering to attempt to delete the cookie from the client's machine? and I found the cookie of main site was be removed but the second site did not! Are you sure that your redirection is working properly? I would also look in your cookie cache to see what the details of the remaining cookie are. Could you post those? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkUWuwACgkQ9CaO5/Lv0PBzPACdGfVgxaN/28RxwOMtYVu3UiYW 0Z4Anj1gIKZ+3qwArKVSRJlsb/40nkTb =w4Us -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/a-cookie-question-of-one-Server-with-two-tomcat-server-tp20355052p20414674.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: a cookie question of one Server with two tomcat server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bon, Bon wrote: the logout Servlet will do something as following: 1. set the cookies maxAge to 0 and add them into response again. cookie.setMaxAge(0); response.addCookie(cookie); 2. set the session to invalidate request.getSession().invalidate(); 3. response.sendRedirect(redirectTo); redirectTo is the URL of second site's logout link. then the client browser will redirect to second site's logout URL, and it is a Struts Action, and this logout Action will do something as following: 1. set the session to invalidate 2. set the cookie maxAge to 0 and add them into response again. cookies[i].setMaxAge(0); response.addCookie(cookies[i]); 3. forward to a logout default display page. 4. direct to main site some page by form submit in default logout display page. You should check to make sure that new cookies are not replacing the old cookies immediately after the invalidate() has been called. Also note that calling setMaxAge before calling invalidate() is not particularly useful: the cookie is expired when you call session.invalidate() so you can clean up your code a bit. Why are you bothering to attempt to delete the cookie from the client's machine? and I found the cookie of main site was be removed but the second site did not! Are you sure that your redirection is working properly? I would also look in your cookie cache to see what the details of the remaining cookie are. Could you post those? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkUWuwACgkQ9CaO5/Lv0PBzPACdGfVgxaN/28RxwOMtYVu3UiYW 0Z4Anj1gIKZ+3qwArKVSRJlsb/40nkTb =w4Us -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: a cookie question of one Server with two tomcat server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bon, Bon wrote: In my environment there are two tomcat server runing with different port in one server , and both two must set its own cookies into client Are you talking about JSESSIONID cookies, or some other ones? now, when I open a browser and browe both site and I can find two site write their own cookie into my computer, but when I logout from both two sites How do you logout from these sites? (they will expire their own cookies) How do they expire their cookies? with same browser, but the cookies of on site did not be removed, does anyone know what is it going on? and how can I solve this problem? Are you observing the cookies being re-sent to the server after they should have been expired, or are you seeing them listed in your browser's active cookie list? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkTS5oACgkQ9CaO5/Lv0PCbMQCdHj/qRoGswA1/gOf1FE4ULb/m A5sAn1jPlSAVxOR9PPYRIGMoqWZ/+zOe =/EoB -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: a cookie question of one Server with two tomcat server
Hi Christopher, I'm not sure what's difference of JSESSIONID cookies and javax.servlet.http.Cookie, I think they are the same thing right? or some other difference details what I don't know. when a client user click logout link from the main site web page, the logout link is main site's logout Servlet URL, and the logout Servlet will do something as following: 1. set the cookies maxAge to 0 and add them into response again. cookie.setMaxAge(0); response.addCookie(cookie); 2. set the session to invalidate request.getSession().invalidate(); 3. response.sendRedirect(redirectTo); redirectTo is the URL of second site's logout link. then the client browser will redirect to second site's logout URL, and it is a Struts Action, and this logout Action will do something as following: 1. set the session to invalidate 2. set the cookie maxAge to 0 and add them into response again. cookies[i].setMaxAge(0); response.addCookie(cookies[i]); 3. forward to a logout default display page. 4. direct to main site some page by form submit in default logout display page. then done this logout process, and I found the cookie of main site was be removed but the second site did not! when I use the same browser instance to visit second site's logout, and the cookies of second site still did not be removed! but, if I open a new browser and to visit the second site's logout then the cookies of second could be removed! I need give user a single link to finish the main and second site's logout, so I try to do what I did, but it did not work like what I want! do I do something wrong and can you give me some idea to do that or some other useful information. Thank you for your help~ Bon Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bon, Bon wrote: In my environment there are two tomcat server runing with different port in one server , and both two must set its own cookies into client Are you talking about JSESSIONID cookies, or some other ones? now, when I open a browser and browe both site and I can find two site write their own cookie into my computer, but when I logout from both two sites How do you logout from these sites? (they will expire their own cookies) How do they expire their cookies? with same browser, but the cookies of on site did not be removed, does anyone know what is it going on? and how can I solve this problem? Are you observing the cookies being re-sent to the server after they should have been expired, or are you seeing them listed in your browser's active cookie list? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkTS5oACgkQ9CaO5/Lv0PCbMQCdHj/qRoGswA1/gOf1FE4ULb/m A5sAn1jPlSAVxOR9PPYRIGMoqWZ/+zOe =/EoB -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/a-cookie-question-of-one-Server-with-two-tomcat-server-tp20355052p20373498.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: a cookie question of one Server with two tomcat server
From: Bon [mailto:[EMAIL PROTECTED] Subject: Re: a cookie question of one Server with two tomcat server I'm not sure what's difference of JSESSIONID cookies and javax.servlet.http.Cookie, JSESSIONID is the specific cookie called out by the servlet spec to be used for tracking sessions between client and server. Instances of javx.servlet.http.Cookie can be any cookie you care to use, not just JSESSIONID. The servlet container (Tomcat, for our purposes) is responsible for managing JSESSIONID, but a webapp can return any number of cookies to the client for whatever purpose it chooses. 1. set the cookies maxAge to 0 What cookie are your referring to? JSESSIONID or one of your own? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: a cookie question of one Server with two tomcat server
Hi Caldarale I just set my own cookies's maxAge to 0, if I also set the JSESSIONID to 0 maybe could be solve my problem right? I'll try it. thank you for your answer. Bon Caldarale, Charles R wrote: From: Bon [mailto:[EMAIL PROTECTED] Subject: Re: a cookie question of one Server with two tomcat server I'm not sure what's difference of JSESSIONID cookies and javax.servlet.http.Cookie, JSESSIONID is the specific cookie called out by the servlet spec to be used for tracking sessions between client and server. Instances of javx.servlet.http.Cookie can be any cookie you care to use, not just JSESSIONID. The servlet container (Tomcat, for our purposes) is responsible for managing JSESSIONID, but a webapp can return any number of cookies to the client for whatever purpose it chooses. 1. set the cookies maxAge to 0 What cookie are your referring to? JSESSIONID or one of your own? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/a-cookie-question-of-one-Server-with-two-tomcat-server-tp20355052p20374522.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: a cookie question of one Server with two tomcat server
Hi Caldarale, I'm so naive. I've try to set the JSESSIONID's max-age to 0, and my second site still did not expire its own cookie from client. I guess that is a issue about client or because I can check the second site's cookie from Server side and logging each cookie's value to make sure what cookie I've set max-age to 0, but the cookies in client also stay here... does anybody can give me some idea, some information, and what should I do right now :-(( best regards, Bon Bon wrote: Hi Caldarale I just set my own cookies's maxAge to 0, if I also set the JSESSIONID to 0 maybe could be solve my problem right? I'll try it. thank you for your answer. Bon Caldarale, Charles R wrote: From: Bon [mailto:[EMAIL PROTECTED] Subject: Re: a cookie question of one Server with two tomcat server I'm not sure what's difference of JSESSIONID cookies and javax.servlet.http.Cookie, JSESSIONID is the specific cookie called out by the servlet spec to be used for tracking sessions between client and server. Instances of javx.servlet.http.Cookie can be any cookie you care to use, not just JSESSIONID. The servlet container (Tomcat, for our purposes) is responsible for managing JSESSIONID, but a webapp can return any number of cookies to the client for whatever purpose it chooses. 1. set the cookies maxAge to 0 What cookie are your referring to? JSESSIONID or one of your own? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/a-cookie-question-of-one-Server-with-two-tomcat-server-tp20355052p20375287.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: a cookie question of one Server with two tomcat server
Hi all, I've solved my problem, but I'm not sure why it could be worked. I found the second site's logout URL with a difference path of login URL(cookie writer), then I change the config setting to change the logout URL path to same as login, then the cookies of second site was expired by logout. I don't understand why the orginal link(with another path) could be worked without main site. and I didn't set path into my cookies, so I'm not sure why I did change the second site logout link path could be worked! why? anybody can tell me why! best regards, Bon --- Bon wrote: Hi Caldarale, I'm so naive. I've try to set the JSESSIONID's max-age to 0, and my second site still did not expire its own cookie from client. I guess that is a issue about client or because I can check the second site's cookie from Server side and logging each cookie's value to make sure what cookie I've set max-age to 0, but the cookies in client also stay here... does anybody can give me some idea, some information, and what should I do right now :-(( best regards, Bon Bon wrote: Hi Caldarale I just set my own cookies's maxAge to 0, if I also set the JSESSIONID to 0 maybe could be solve my problem right? I'll try it. thank you for your answer. Bon Caldarale, Charles R wrote: From: Bon [mailto:[EMAIL PROTECTED] Subject: Re: a cookie question of one Server with two tomcat server I'm not sure what's difference of JSESSIONID cookies and javax.servlet.http.Cookie, JSESSIONID is the specific cookie called out by the servlet spec to be used for tracking sessions between client and server. Instances of javx.servlet.http.Cookie can be any cookie you care to use, not just JSESSIONID. The servlet container (Tomcat, for our purposes) is responsible for managing JSESSIONID, but a webapp can return any number of cookies to the client for whatever purpose it chooses. 1. set the cookies maxAge to 0 What cookie are your referring to? JSESSIONID or one of your own? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/a-cookie-question-of-one-Server-with-two-tomcat-server-tp20355052p20375931.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]