-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Allen,
Just adding [SOLVED] to the subject for the benefit of those searching the archives. To recap, the cookie path was wrong. - -chris Williams, Allen wrote: > OK, I have FOUND the problem, and for the continued edification of the > community will share my results, as well as ask one more question that > hopefully some of you gurus can answer. > > Yes, it had to do with the path. When I went back and associated this > servlet with a valid path "used" path but still without the "CheckUser" > involved, updating through my mod_jk.conf, my web.xml for the mappings, > and, of course, the script itself, it picked up the right session id and > the world is good. > > Now, for the question: how is this ancillary information stored? When I > look at the cookie in Firebug or print it out in the servlet, all I see > is "JSESSIONID=blah, blah, blah", but when I look at it in Web > Developer, I see the path associated with it, the expiration date, and > other info. Where is that stored, and can it be accessed (like the > path, for instance) in a servlet or script? > > THANKS FOR ALL THE HELP!!! > > Thanks, and Regards, > ________________________ > >> Yeah, I'm already sending some stuff over by URL anyway, but >> there seems >> to be some concern floating around the net regarding session hijacking >> if the session ID is readily available. However, although I wouldn't >> pretend to be an expert. >> >> Anyway, I took Christopher's advice, and deleted all the cookies, even >> restarted my browser (it's been running for several days), >> and did some >> testing. I now have two (2!) JSESSIONID's in my browser, as well as >> userid and password cookies, but on the server side, it says >> no cookies >> were sent. >> >> And, I finally found the "Headers" section under "Net" in Firebug. As >> near as I can decipher this, all my requests are sending a JSESSIONID >> cookie *except* the one for the XMLHttpRequest. The first >> time running >> after deleting all the cookies, that request doesn't have any cookies. >> Because a session gets created, from that point forward it has the >> session it created with it sent back in the request header, but, of >> course, that session doesn't have any of the attributes stored in it. >> Looking at these cookies with the WebDeveloper tools in Firefox, the >> difference is that the new one created during the XMLHttpRequest is >> associated with a "/" path, the other one (the "real" one) with >> "/myAppName" path. >> >> Is is possible the difference in these path associations has something >> to do with not finding the session? I do use a different URL mapping >> for this servlet because of a "CheckUser" problem I had way back that >> started this whole chain. >> >> Next step is to download Frank's >> http://www.omnytex.com/test.zip and get >> that to work (also, I see what you mean by Headers under Firebug >> Console, now, too- it is also repeated under Firebug Net). >> >>> -----Original Message----- >>> From: Christopher Schultz [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, May 22, 2007 10:04 AM >>> To: Tomcat Users List >>> Subject: Re: Session IDs & XMLHttpRequests >>> > Allen, > > Williams, Allen wrote: >>>>> Will it work with POST as well as GET? Although I guess > I'll soon find >>>>> out;-) > It should work equally well with GET and POST. The browser >>> should send > cookies with every type of request (not just GET and POST). > > I strongly encourage you to make arrangements for non-cookie-using > people. When you emit the HTML (and javascript) to make your > XMLHttpRequest, try making the URL dynamic and running it through > HttpServletResponse.encodeURL to add the jsessionid to the > URL if necessary. > > This will make your application a little more friendly to those who > either don't have cookies available (usually an IT policy >>> in an office > or something) or who choose to turn them off. I find this to be > courteous to your users. > > Just my .02. > > -chris > >>> >>> >> --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGU06d9CaO5/Lv0PARAgi+AKCfDp8K++T0kt22RgMwCFJRfFZ3sQCeNSXr GNnlB07KIACj4T7kF8ep6KY= =kwdF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]