Tomcat 8.0.30 Session lost

2016-01-08 Thread Thomas Scheffler
Hi, I have a very rare problem regarding session handling. It is reproducible only on a single server environment. Of cause this is the productive server. I use container authentication and for simplicity 'tomcat-user.xml'. Login is done via HttpServletRequest.login() method, whenever I

Re: Tomcat 8.0.30 Session lost

2016-01-08 Thread Konstantin Kolinko
2016-01-08 19:02 GMT+03:00 Christopher Schultz : > Thomas, > > On 1/8/16 8:00 AM, Thomas Scheffler wrote: >> Am 08.01.16 um 11:43 schrieb Olaf Kock: >>> Is there any chance that the first and correctly authenticated cookies >>> (despite the debug output

Re: Tomcat 8.0.30 Session lost

2016-01-08 Thread Olaf Kock
Is there any chance that the first and correctly authenticated cookies (despite the debug output "secure=false") are https-only cookies and won't get transmitted in http, thus triggering new sessions? E.g. any chance they get rewritten at another level (Apache httpd, ServletFilter, others) to be

Re: Tomcat 8.0.30 Session lost

2016-01-08 Thread Thomas Scheffler
Am 08.01.16 um 11:43 schrieb Olaf Kock: Is there any chance that the first and correctly authenticated cookies (despite the debug output "secure=false") are https-only cookies and won't get transmitted in http, thus triggering new sessions? E.g. any chance they get rewritten at another level

Re: Tomcat 8.0.30 Session lost

2016-01-08 Thread Thomas Scheffler
Am 08.01.16 um 14:03 schrieb André Warnier (tomcat): Hi Thomas. It is a bit difficult to figure out where the problem really is, without having the full picture of what is going on (your web.xml configuration, the order and precise timing in which requests really happen etc.). But one thing I

Re: Tomcat 8.0.30 Session lost

2016-01-08 Thread tomcat
On 08.01.2016 10:07, Thomas Scheffler wrote: Hi, I have a very rare problem regarding session handling. It is reproducible only on a single server environment. Of cause this is the productive server. I use container authentication and for simplicity 'tomcat-user.xml'. Login is done via

Re: Tomcat 8.0.30 Session lost

2016-01-08 Thread Christopher Schultz
Thomas, On 1/8/16 8:00 AM, Thomas Scheffler wrote: > Am 08.01.16 um 11:43 schrieb Olaf Kock: >> Is there any chance that the first and correctly authenticated cookies >> (despite the debug output "secure=false") are https-only cookies and >> won't get transmitted in http, thus triggering new