We had this exact same problem and this issues was discussed previously on another blog. It boiled down to an entry in "WEB-INF/view/jsp/default/ui/includes/top.jsp" where the session was being created each time. In top.jsp, there is a directive "<%@ page session="true" %>". Change that to false or completely remove it and that should solve it.
From: Mahmudul Hasan [mailto:[email protected]] Sent: Wednesday, June 26, 2013 5:38 PM To: [email protected] Subject: [cas-user] Strange bug with JSESSIONID Hi Everyone, I am facing this strange bug regarding JSESSIONID. The symptom is that you have to put your username and password twice, where one login attempt works but the other one does not. 1. When I try to login to CAS and there is no existing JSESSIONID, the login works. 2. But if I have a pre-existing JSESSIONID, then login attempt is responded by a 302 redirect with a SET-Cookie header. With the new JSESSIONID second login attempt works until we logout. It is making me believe that for some reason, CAS cannot access the JSESSIONID. I have also verfied that this error is related to session variables by using URLS instead of cookies for session management. If I set <session-config> <!-- Default to 5 minute session timeouts --> <session-timeout>5</session-timeout> <tracking-mode>URL</tracking-mode> </session-config> in my web.xml to force to pass JSESSIONID as part of URL, then the login works without any error. I am using CAS version 3.5.2, Apache Tomcat 7.0.37 and Java 1.7 on Debian Linux. Has anyone faced an issue like this ? Thanks, Mahmudul Hasan System Engineer, University of Lethbridge. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
