Re: Session ids (netscape)
Sorry to keep this post going on, and on, and on... But I am still pretty confused. I am attempting to disable the cookies on the server side by using the "noCookies" attribute in the RequestInterceptor as follows: RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" noCookies="true"/ My simple web page: HTML BODY Session Id: %= session.getId() % /BODY /HTML I call this page directly in the address bar. So I should not have to worry about any url encoding before this page. On Windows NT: IE: - Works fine. Netscape 4.7: - the two browsers show the same session Id. Netscape 6: - I am unable to get more than one browser started without using file -- new - This causes the two browsers to have the same Id. (This I expected). On Linux: Netscape 6: - I am able to start two browser sessions with DIFFERENT Ids. If I disable cookies in Netscape (4.7 6), within the browser itself, they both work fine. However, this is not a valid option for us. We cannot ask/force the user to change the settings on his browser in order to safely use our product. Is this "NoCookies" attribute in Tomcat, somehow not effective in the Windows environment? Am I missing something? Pete Kurt Bernhard Pruenner wrote: Peter Alfors wrote: When I run this, the session id's are still the same for two separate instances of netscape 4.7. (both instances started from the desktop). What am I missing to force the session id's to be different? I assume from your headers that you're using windows - at least in Windows, starting Netscape thru a link doesn't spawn another copy of Netscape, but in fact just notifies the already running Netscape process to spawn another window, and since all those windows share the same cookies, there's no way of starting 2 separate sessions using cookies. It would, however, be possible with URL rewriting, so you'd need to disable the use of cookies either on the client or on the server side... -- Kurt Bernhard Pruenner --- Haendelstrasse 17 --- 4020 Linz --- Austria Music: http://www.mp3.com/Leak --- Work: http://www.ssw.uni-linz.ac.at ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Vladislav Delay - Raamat (Multila) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] begin:vcard n:; x-mozilla-html:FALSE org:BRIMG SRC="http://www.irista.com/logo/irista.gif"BRBRFONT Color=#80FONT SIZE=2BBringing Vision to Your Supply Chain adr:;; version:2.1 end:vcard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Session ids (netscape)
Peter Alfors wrote: Sorry to keep this post going on, and on, and on... But I am still pretty confused. I am attempting to disable the cookies on the server side by using the "noCookies" attribute in the RequestInterceptor as follows: RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" noCookies="true"/ My simple web page: HTML BODY Session Id: %= session.getId() % /BODY /HTML I call this page directly in the address bar. So I should not have to worry about any url encoding before this page. On Windows NT: IE: - Works fine. Netscape 4.7: - the two browsers show the same session Id. Netscape 6: - I am unable to get more than one browser started without using file -- new - This causes the two browsers to have the same Id. (This I expected). On Linux: Netscape 6: - I am able to start two browser sessions with DIFFERENT Ids. If I disable cookies in Netscape (4.7 6), within the browser itself, they both work fine. However, this is not a valid option for us. We cannot ask/force the user to change the settings on his browser in order to safely use our product. Is this "NoCookies" attribute in Tomcat, somehow not effective in the Windows environment? Am I missing something? The "no cookies" attribute tells Tomcat not to use cookies for session management. However, you are facing a fundamental *client* restriction -- Netscape always runs all its windows as a single process on Windows platforms, and there is absolutely nothing that the server can do about that. If you are able to turn off cookies, you can cause Netscape windows to have different sessions, but the user can still foil you if they right-click on a hyperlink (with embedded session id) and select "open link in new window". You are back in the same boat again. The safe solution (and the only solution if you cannot control whether the user uses cookies or not) is to program your app to deal with the "two windows / one session" problem. One approach to this would be to embed a hidden variable in each form that is essentially a "sub-session" identifier. Pete Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Session ids (netscape)
"Craig R. McClanahan" wrote: The safe solution (and the only solution if you cannot control whether the user uses cookies or not) is to program your app to deal with the "two windows / one session" problem. One approach to this would be to embed a hidden variable in each form that is essentially a "sub-session" identifier. I guess Im not seeing where this sub-session identifier is being generated, how it links us to the correct session, and what it is doing for us on the form? Also, at what point do we KNOW that a new window has been created? Again, sorry that I am having som much trouble getting this concept into my head. Thanks for all the help so far. Pete begin:vcard n:; x-mozilla-html:FALSE org:BRIMG SRC="http://www.irista.com/logo/irista.gif"BRBRFONT Color=#80FONT SIZE=2BBringing Vision to Your Supply Chain adr:;; version:2.1 end:vcard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Session ids (netscape)
Hi Peter, Unfortunately, there's no foolproof way to do what you're trying to do. The limitation is imposed on the client-side. Your success depends on how much control you have over your users, i.e. it becomes a training issue. A good description of the issues involved is on page 134 of Hans Bergsten's book, _JavaServer_Pages_. Your best bet is to force tomcat to always use session rewriting instead of cookies (assuming that's possible), but even that's not entirely foolproof. Good luck. Peter Alfors wrote: Hello all, I originally posted a question about session ids on the struts-user list, but then realized that this is a better question for this list. Thanks for all the info about session ids (craig, gary, steven, etc). I hate to beat a dead horse, but I have ANOTHER question on session ids. I have changed to the tomcat server.xml to turn off cookies. RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" noCookies="true"/ This is my complete jsp page: HTML BODY Session Id: %= session.getId() % /BODY /HTML I am using Tomcat 3.2.1 stand-alone. When I run this, the session id's are still the same for two separate instances of netscape 4.7. (both instances started from the desktop). What am I missing to force the session id's to be different? Any help would be immensely appreciated, Pete "Kramer, Gary" wrote: When I try Netscape4.7, it gives me different sessions IDs. As I understand it, the session id is assigned by Tomcat (i.e. jsessionid=asdkfjl), not by the browsers. If you disable cookie use in Tomcat and there is no jsessionid parameter in the URL, then Tomcat cannot link your request to any session and therefore has no choice but to create a new session. Your explanation of using html:link and rewriting within a session is exactly what I'm doing (or trying to do). I also put in some defensive code to determine if the user messed with the URL or created a new browser with the same URL. I put code in my Form bean's reset method to double check that the request that is coming in actually applies to the object the user was last working on. This also defends against some of the problems caused by hitting the back and forward buttons. Still, very annoying. -Original Message- From: Peter Alfors To: [EMAIL PROTECTED] Sent: 2/1/01 5:11 PM Subject: Re: session ids cont... I added the "noCookies" attribute and set it to "true". However, the two instances of Netscape 4.7 still show that they are using the same session. I.E. 5.0 does display different session ID still. see notes below... "Craig R. McClanahan" wrote: Peter Alfors wrote: "Kramer, Gary" wrote: I had similiar problems. You need to turn off the use of Cookies on your server (in Tomcat this setting is in server.xml). When the user opens 2 browsers, they will always have different session ids in both IE and Netscape since the first URL they will use will not have a session id included. How do I turn off the use of cookies in the server.xml? I only see one location where cookies are mentioned. !-- Request processing -- !-- Session interceptor will extract the session id from cookies and deal with URL rewriting ( by fixing the URL ) -- RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" / Do I comment out this section? For Tomcat 3.2.1 there is a noCookies attribute on this entry that defaults to "false". You need to set it to "true": RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" noCookies="true"/ NOTE: Using URL rewriting does *not* catch every case of multiple windows sharing session ids. Consider that the user can right-click on a hyperlink (containing the session id) and select "Open in New Window". Because the hyperlink being clicked had a session id in it already, the new window will still be part of the old session -- so your app logic needs to be ready to deal with this. So it sounds like what I am looking for is to get the browser instances (IE and Netscape) to generate unique session ids. Then, I need to perform URL-rewriting for all of my links within the webapp. This will solve my problem if the user has opened up multiple browser instances (from the desktop, not through file -- new-- Window). I can use the html:link tag to accomplish this throughout the site. However, I will also need to add some sort of "smarts" to the app to handle the possibility that the user opened a new browser instance from the (file -- new -- Window) option. Am I on the right track? (sorry if I sound so
RE: Session ids (netscape)
Yep, since it has no JSessionID on the url, it must (by definition) be without a session, so Tomcat creates one for it. -Original Message- From: Peter Alfors [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 06, 2001 4:51 PM To: [EMAIL PROTECTED] Subject: Re: Session ids (netscape) Thanks for the response. From the messages below, it appears that problem is not client-side. It sounds like if a 'jsessionid' is not passed with the request, then Tomcat will create a new session. Is this correct? Pete Jim Crossley wrote: Hi Peter, Unfortunately, there's no foolproof way to do what you're trying to do. The limitation is imposed on the client-side. Your success depends on how much control you have over your users, i.e. it becomes a training issue. A good description of the issues involved is on page 134 of Hans Bergsten's book, _JavaServer_Pages_. Your best bet is to force tomcat to always use session rewriting instead of cookies (assuming that's possible), but even that's not entirely foolproof. Good luck. Peter Alfors wrote: Hello all, I originally posted a question about session ids on the struts-user list, but then realized that this is a better question for this list. Thanks for all the info about session ids (craig, gary, steven, etc). I hate to beat a dead horse, but I have ANOTHER question on session ids. I have changed to the tomcat server.xml to turn off cookies. RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" noCookies="true"/ This is my complete jsp page: HTML BODY Session Id: %= session.getId() % /BODY /HTML I am using Tomcat 3.2.1 stand-alone. When I run this, the session id's are still the same for two separate instances of netscape 4.7. (both instances started from the desktop). What am I missing to force the session id's to be different? Any help would be immensely appreciated, Pete "Kramer, Gary" wrote: When I try Netscape4.7, it gives me different sessions IDs. As I understand it, the session id is assigned by Tomcat (i.e. jsessionid=asdkfjl), not by the browsers. If you disable cookie use in Tomcat and there is no jsessionid parameter in the URL, then Tomcat cannot link your request to any session and therefore has no choice but to create a new session. Your explanation of using html:link and rewriting within a session is exactly what I'm doing (or trying to do). I also put in some defensive code to determine if the user messed with the URL or created a new browser with the same URL. I put code in my Form bean's reset method to double check that the request that is coming in actually applies to the object the user was last working on. This also defends against some of the problems caused by hitting the back and forward buttons. Still, very annoying. -Original Message- From: Peter Alfors To: [EMAIL PROTECTED] Sent: 2/1/01 5:11 PM Subject: Re: session ids cont... I added the "noCookies" attribute and set it to "true". However, the two instances of Netscape 4.7 still show that they are using the same session. I.E. 5.0 does display different session ID still. see notes below... "Craig R. McClanahan" wrote: Peter Alfors wrote: "Kramer, Gary" wrote: I had similiar problems. You need to turn off the use of Cookies on your server (in Tomcat this setting is in server.xml). When the user opens 2 browsers, they will always have different session ids in both IE and Netscape since the first URL they will use will not have a session id included. How do I turn off the use of cookies in the server.xml? I only see one location where cookies are mentioned. !-- Request processing -- !-- Session interceptor will extract the session id from cookies and deal with URL rewriting ( by fixing the URL ) -- RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" / Do I comment out this section? For Tomcat 3.2.1 there is a noCookies attribute on this entry that defaults to "false". You need to set it to "true": RequestInterceptor className="org.apache.tomcat.request.SessionInterceptor" noCookies="true"/ NOTE: Using URL rewriting does *not* catch every case of multiple windows sharing session ids. Consider that the user can right-click on a hyperlink (containing the session id) and select "Open in New Window". Because the hyperlink being clicked had a session id in it already, the new
Re: Session ids (netscape)
Peter Alfors wrote: When I run this, the session id's are still the same for two separate instances of netscape 4.7. (both instances started from the desktop). What am I missing to force the session id's to be different? I assume from your headers that you're using windows - at least in Windows, starting Netscape thru a link doesn't spawn another copy of Netscape, but in fact just notifies the already running Netscape process to spawn another window, and since all those windows share the same cookies, there's no way of starting 2 separate sessions using cookies. It would, however, be possible with URL rewriting, so you'd need to disable the use of cookies either on the client or on the server side... -- Kurt Bernhard Pruenner --- Haendelstrasse 17 --- 4020 Linz --- Austria Music: http://www.mp3.com/Leak --- Work: http://www.ssw.uni-linz.ac.at ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Vladislav Delay - Raamat (Multila) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
