Re: Different session id per page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry, On 12/31/11 5:44 PM, Jerry Malcolm wrote: Chuck, the sessionCookiePath link you referenced says that all web apps can use the same cookie path (/). That means that several independent web applications will have to share the same session object, right? I have no problem with that if that really works. Just want to confirm that I am indeed understanding this correctly. There's no problem with several webapps sharing a common session object? I would *highly* recommend against combining URL spaces of different webapps. If you just want to map your /orders webapp to /, then that's fine, but if you have separate webapps, you're going to want to keep the cookie paths distinct from each other. To do otherwise will cause all kinds of problems with webapps trashing each other's JSESSIONID cookie values. Another option would be to set the cookie name. You can do that in recent versions of Tomcat. Check the Context documentation for how to do it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8COnEACgkQ9CaO5/Lv0PBzXQCfZWnB6KK5fnnxhMHYqGHyfGM0 eAgAn1ll6QWFejuq+w2CB7Ag5H7bBOeW =Sto9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
On 1:59 PM, Jerry Malcolm wrote: Thanks, Tim. But that wasn't the problem. I've figured out what's happening. But I'm even more confused about how to move forward knowing that now. I've got a relatively simple situation. I have three pages that I am mapping to clean URLs in httpd mod_rewrite. /cart = /order/jsp/guest/cart.jsp /locateaccount = /order/jsp/guest/locateaccount.jsp /checkout = /order/jsp/guest/checkout.jsp I looked at my firefox cookies, and I have a cookie for /order. It makes sense that /order would be the cookie that's sent back from TC, since that's the URL that TC sees. It's obvious to me now that when Firefox requests the page /locateaccount it has no cookie to send for /locateaccount, since the cookie it should be sending is labeled /order, and firefox has no knowledge of the /order prefix OK, it's clear what's happening. But am I just out of luck? My client has requested clean URLs. But this has been nothing but a headache from the start. Am I missing something really obvious? Is there any possible way to configure TC such that the three URLs above, with the URL mappings as described, can keep track of one session? How does TC decide what path to store the session id cookie under? Again, I saw a cookie for /order. But I also saw a cookie for another webapp for /idmanager/jsp/user. I don't want to change all my urls to /order/cart, /order/checkout, etc. only to find out TC might send /order/jsp/guest for the session path in some situation. If there was a way to tell TC to use / as the path, that would work in this case. But in the broader picture, I have more than one web app on this host. There are separate sessions for each webapp, right? So in that case the browser couldn't keep them separate if they were all mapped to /, right? Bottom line... is the mapping above with a single session possible? Thx Jerry On Sat, Dec 31, 2011 at 1:28 AM, Tim Wattst...@cliftonfarm.org wrote: On Sat, 2011-12-31 at 00:33 -0600, Jerry Malcolm wrote: I have a web app that's worked for years. I had to go in and do some renovations on it due to a few new requirements. Now for some reason, I'm getting a new/different session id for each page. It's easy to see that's what happening since I use the sessionid for a log file name. Where I used to get one log file when clicking through a series of pages, I now get a bunch of logging files. This is a problem since I store data in the session object between pages. And now the pages cannot find the data. This is on TC 7. The only major thing I'm doing differently now that I can figure might affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at straws. I really don't see how mod_rewrite would be preventing session data from passing through. Or could it? The way I understand it, it's simply a session key that's passed back and forth as a cookie, right? The session ID could also be embedded in the URL and perhaps mod_rewrite is dropping it. You could compare the access logs in httpd vs tomcat (enable them in tomcat if necessary). Any ideas why I'm losing my sessions on each page? Thx Jerry Hi, Jerry- It seems like you could simplify things if you mapped: /order/jsp/guest/cart.jsp to /order/cart /order/jsp/guest/locateaccount.jsp to /order/locateaccount /order/jsp/guest/checkout.jsp to /order/checkout Apparently, /order is the context path for these pages which, I believe, is the default for the cookie session path. These mappings could be defined in web.xml which would eliminate the need for URL rewriting. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
Jerry Malcolm wrote: Andre, In mod_rewrite it talks about setting a cookie when a rewrite rule hit occurs. But I can't find anything about back-translation of cookie paths. Was that was what you meant? Still not sure how that would work. Seems like i would need a way to tell the browser that URLs /cart, /locateaccount, /checkout all use the /order cookie. How would that work? In perl (programming language) circles, we use the TIMTOWTDI acronym to mean there is more than one way to do it, which is true for most things in perl. To connect Apache and Tomcat, this applies too, which does not make for easy or short explanations.. By now, you already got a few hints from Chuck and Rainer and others, but here is the grand scheme : To proxy requests from Apache to Tomcat, there are 3 methods : a) using mod_proxy and HTTP : Apache + mod_proxy + mod_proxy_http -- HTTP(S) protocol -- Tomcat HTTP(S) Connector b) using AJP : b.1) using mod_proxy and AJP : Apache + mod_proxy + mod_proxy_ajp -- AJP protocol -- Tomcat AJP Connector b.2) using mod_jk and AJP : Apache + mod_jk -- AJP protocol -- Tomcat AJP Connector Each of the above methods has advantages and inconvenients, and its own fan club. If you are using (a) or (b.1), then you are using mod_proxy at the Apache level, and you have access to the directives which mod_proxy provides, which include the ProxyPassReverseCookiePath directive, which would do exactly what you want. (http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreversecookiepath) Also, with the ProxyPass directive, you can do some of the URL rewrite logic which you currently do with mod_rewrite. For example, you can rather easily do things like ProxyPass /original/url ajp://tomcat/some/other/url And if you need more complicated rewriting, you can use mod_rewrite and mod_proxy in succession (mod_rewrite does its thing first, and then mod_proxy proxies). If you are using (b.2) at the Apache level, then things are a bit more complicated, if you are also using mod_rewrite to rewrite the URLs before proxying the requests to Tomcat. That's because mod_jk itself does not provide a directive that is equivalent to the mod_proxy ProxyPassReverseCookiePath directive. So in that case, you would use another Apache module (mod_headers, see http://httpd.apache.org/docs/2.2/mod/mod_headers.html), to rewrite the Set-Cookie response headers which come back from Tomcat, before they are sent back to the browser. (That is what Rainer was hinting at). Or, you could do the cookie manipulation at the Tomcat level, which in your case might be the easiest thing to do and is valid no matter how you set up the front-end. (That is what Chuck is talking about, with a complement by Rainer). Hope this makes things a bit clearer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
Thanks, Tim. But that wasn't the problem. I've figured out what's happening. But I'm even more confused about how to move forward knowing that now. I've got a relatively simple situation. I have three pages that I am mapping to clean URLs in httpd mod_rewrite. /cart = /order/jsp/guest/cart.jsp /locateaccount = /order/jsp/guest/locateaccount.jsp /checkout = /order/jsp/guest/checkout.jsp I looked at my firefox cookies, and I have a cookie for /order. It makes sense that /order would be the cookie that's sent back from TC, since that's the URL that TC sees. It's obvious to me now that when Firefox requests the page /locateaccount it has no cookie to send for /locateaccount, since the cookie it should be sending is labeled /order, and firefox has no knowledge of the /order prefix OK, it's clear what's happening. But am I just out of luck? My client has requested clean URLs. But this has been nothing but a headache from the start. Am I missing something really obvious? Is there any possible way to configure TC such that the three URLs above, with the URL mappings as described, can keep track of one session? How does TC decide what path to store the session id cookie under? Again, I saw a cookie for /order. But I also saw a cookie for another webapp for /idmanager/jsp/user. I don't want to change all my urls to /order/cart, /order/checkout, etc. only to find out TC might send /order/jsp/guest for the session path in some situation. If there was a way to tell TC to use / as the path, that would work in this case. But in the broader picture, I have more than one web app on this host. There are separate sessions for each webapp, right? So in that case the browser couldn't keep them separate if they were all mapped to /, right? Bottom line... is the mapping above with a single session possible? Thx Jerry On Sat, Dec 31, 2011 at 1:28 AM, Tim Watts t...@cliftonfarm.org wrote: On Sat, 2011-12-31 at 00:33 -0600, Jerry Malcolm wrote: I have a web app that's worked for years. I had to go in and do some renovations on it due to a few new requirements. Now for some reason, I'm getting a new/different session id for each page. It's easy to see that's what happening since I use the sessionid for a log file name. Where I used to get one log file when clicking through a series of pages, I now get a bunch of logging files. This is a problem since I store data in the session object between pages. And now the pages cannot find the data. This is on TC 7. The only major thing I'm doing differently now that I can figure might affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at straws. I really don't see how mod_rewrite would be preventing session data from passing through. Or could it? The way I understand it, it's simply a session key that's passed back and forth as a cookie, right? The session ID could also be embedded in the URL and perhaps mod_rewrite is dropping it. You could compare the access logs in httpd vs tomcat (enable them in tomcat if necessary). Any ideas why I'm losing my sessions on each page? Thx Jerry
Re: Different session id per page
Jerry Malcolm wrote: Thanks, Tim. But that wasn't the problem. I've figured out what's happening. But I'm even more confused about how to move forward knowing that now. I've got a relatively simple situation. I have three pages that I am mapping to clean URLs in httpd mod_rewrite. /cart = /order/jsp/guest/cart.jsp /locateaccount = /order/jsp/guest/locateaccount.jsp /checkout = /order/jsp/guest/checkout.jsp I looked at my firefox cookies, and I have a cookie for /order. It makes sense that /order would be the cookie that's sent back from TC, since that's the URL that TC sees. It's obvious to me now that when Firefox requests the page /locateaccount it has no cookie to send for /locateaccount, since the cookie it should be sending is labeled /order, and firefox has no knowledge of the /order prefix OK, it's clear what's happening. But am I just out of luck? My client has requested clean URLs. But this has been nothing but a headache from the start. Am I missing something really obvious? Maybe. Unless I am mistaken, in mod_rewrite (or mod_proxy), there are directives to rewrite cookie paths too, in the response coming from Tomcat and before they get forwarded back to the browser. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
Andre, That's good news. I know less than 1% of what I need to know about mod_rewrite. So that is definitely a possibility. I'll do some digging into that. Thanks so much. Jerry On Sat, Dec 31, 2011 at 11:19 AM, André Warnier a...@ice-sa.com wrote: Jerry Malcolm wrote: Thanks, Tim. But that wasn't the problem. I've figured out what's happening. But I'm even more confused about how to move forward knowing that now. I've got a relatively simple situation. I have three pages that I am mapping to clean URLs in httpd mod_rewrite. /cart = /order/jsp/guest/cart.jsp /locateaccount = /order/jsp/guest/**locateaccount.jsp /checkout = /order/jsp/guest/checkout.jsp I looked at my firefox cookies, and I have a cookie for /order. It makes sense that /order would be the cookie that's sent back from TC, since that's the URL that TC sees. It's obvious to me now that when Firefox requests the page /locateaccount it has no cookie to send for /locateaccount, since the cookie it should be sending is labeled /order, and firefox has no knowledge of the /order prefix OK, it's clear what's happening. But am I just out of luck? My client has requested clean URLs. But this has been nothing but a headache from the start. Am I missing something really obvious? Maybe. Unless I am mistaken, in mod_rewrite (or mod_proxy), there are directives to rewrite cookie paths too, in the response coming from Tomcat and before they get forwarded back to the browser. --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Different session id per page
From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Different session id per page If there was a way to tell TC to use / as the path, that would work in this case. Look at the sessionCookiePath attribute for Context and see if that will help: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
Andre, In mod_rewrite it talks about setting a cookie when a rewrite rule hit occurs. But I can't find anything about back-translation of cookie paths. Was that was what you meant? Still not sure how that would work. Seems like i would need a way to tell the browser that URLs /cart, /locateaccount, /checkout all use the /order cookie. How would that work? On Sat, Dec 31, 2011 at 11:37 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Different session id per page If there was a way to tell TC to use / as the path, that would work in this case. Look at the sessionCookiePath attribute for Context and see if that will help: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
Chuck, the sessionCookiePath link you referenced says that all web apps can use the same cookie path (/). That means that several independent web applications will have to share the same session object, right? I have no problem with that if that really works. Just want to confirm that I am indeed understanding this correctly. There's no problem with several webapps sharing a common session object? Or is it only the session ID that's common, and each web app still has it's own separate namespace for it's sessions? So there are still separate sessions, Each one is named xyz, but it's actually 'webapp1-xyz' and webapp2-xyz', etc.? I guess if it works, it works, and I shouldn't care what goes on under the hood. But every time I make that assumption, something jumps up and bites my. Thx. On Sat, Dec 31, 2011 at 4:35 PM, Jerry Malcolm 2ndgenfi...@gmail.comwrote: Andre, In mod_rewrite it talks about setting a cookie when a rewrite rule hit occurs. But I can't find anything about back-translation of cookie paths. Was that was what you meant? Still not sure how that would work. Seems like i would need a way to tell the browser that URLs /cart, /locateaccount, /checkout all use the /order cookie. How would that work? On Sat, Dec 31, 2011 at 11:37 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Different session id per page If there was a way to tell TC to use / as the path, that would work in this case. Look at the sessionCookiePath attribute for Context and see if that will help: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
On 31.12.2011 18:37, Caldarale, Charles R wrote: From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Different session id per page If there was a way to tell TC to use / as the path, that would work in this case. Look at the sessionCookiePath attribute forContext and see if that will help: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes Yes, you can change the path of the session cookie used by Tomcat, and in case you need to change it to /, you can also change the name of the session cookie to make sure you won't run into a conflict with another Java webapp session cookie used on the same server. The alternative is rewriting the cokie at the reverse proxy (Apache Web Server), using mod_headers or to cookie rewriting feature if mod_proxy. A cookie set by the server (Tomcat) is just a Cookie response header, which you can change dynamically at the reverse proxy to account for reversing your URL rewriting for requests. Some info about that is also avilable at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting If you are using mod_proxy, please have a look at the mod_proxy docs. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Different session id per page
From: Jerry Malcolm [mailto:2ndgenfi...@gmail.com] Subject: Re: Different session id per page the sessionCookiePath link you referenced says that all web apps can use the same cookie path (/). They can, but you don't have to use it that way. Each webapp can have its own sessionCookiePath value, unrelated to the URL used to access the webapp. That means that several independent web applications will have to share the same session object, right? No, session objects are still unique per Context (required by the spec). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different session id per page
On Sat, 2011-12-31 at 00:33 -0600, Jerry Malcolm wrote: I have a web app that's worked for years. I had to go in and do some renovations on it due to a few new requirements. Now for some reason, I'm getting a new/different session id for each page. It's easy to see that's what happening since I use the sessionid for a log file name. Where I used to get one log file when clicking through a series of pages, I now get a bunch of logging files. This is a problem since I store data in the session object between pages. And now the pages cannot find the data. This is on TC 7. The only major thing I'm doing differently now that I can figure might affect it is I'm using mod_rewrite in apache httpd. But I'm grasping at straws. I really don't see how mod_rewrite would be preventing session data from passing through. Or could it? The way I understand it, it's simply a session key that's passed back and forth as a cookie, right? The session ID could also be embedded in the URL and perhaps mod_rewrite is dropping it. You could compare the access logs in httpd vs tomcat (enable them in tomcat if necessary). Any ideas why I'm losing my sessions on each page? Thx Jerry signature.asc Description: This is a digitally signed message part