Re: different jsessionid for different webapps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, Pid wrote: Christopher Schultz wrote: Bottom line: beware deploying applications inside one another's URI spaces. Do you mean 'inside' as in the (expected) outcome of app1.war app1#part2.war It's worse than that, because Apache httpd was fronting the whole thing, and each application was in a separate Tomcat instance. Hence, no ability for Tomcat to differentiate between /legit/request/to/app1 and /nonlegit/request/to/app1/app2/whatever. Basically, I completely shot myself in the foot. ;) ... and if not, I wonder what the implications for cookie handling therein are. Since I was forwarding a cookie from one app to another, and the app first handling the request didn't use sessions at all, so a doubled-up JSESSIONID cookie make it impossible to figure out which one was the right one. Sure, we could have issued a second backend request to the other app, but why bother when your deployment is fubar'd. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl/vjQACgkQ9CaO5/Lv0PBcogCfQzeA8ql4M5rjhtQXVpRUWgEZ 0bUAoLOziTZwDSa6ExGzRgo62OGDBBy4 =8quS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: different jsessionid for different webapps
Christopher Schultz wrote: Pid, Pid wrote: Stefano Nichele wrote: Hi All, I have a strange (for me?) requirement for my application. Basically I have webapp A deployed in Tomcat A and webpp B deployed in Tomcat B. webappA is the main webapplication that provides the main web page to the the browser. That page contains an IFrame that points to webappB. Is there a way to have/use different JSESSIONID for the webapps ? I know the browser handles the cookies per hostname, is there a way to handle cookies per path (webapp) ? If you've actually deployed two separate webapps then the session ids ought to be different. Session data is not portable between separate webapps. The only exception would be for applications deployed inside one another's URI spaces. We used to have a situation where we had a ROOT webapp and another one deployed onto /foo (the original application has been deployed to ROOT, and we had to keep it there while deploying another one, too... it was silly and it's since been corrected). At any rate, we had weird problems with dual cookies being sent. The sessions wouldn't overlap, of course, but we had weirdness with the session being lost sometimes. It was combined with a third application that didn't use sessions at all and forwarded the requested session id behind the scenes back to the main application, and we could never tell which session id to use (because clients don't sent the Path along with the JSESSIONID cookie). Bottom line: beware deploying applications inside one another's URI spaces. Do you mean 'inside' as in the (expected) outcome of app1.war app1#part2.war ? ... and if not, I wonder what the implications for cookie handling therein are. p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: different jsessionid for different webapps
Stefano Nichele wrote: Hi All, I have a strange (for me?) requirement for my application. Basically I have webapp A deployed in Tomcat A and webpp B deployed in Tomcat B. webappA is the main webapplication that provides the main web page to the the browser. That page contains an IFrame that points to webappB. Is there a way to have/use different JSESSIONID for the webapps ? I know the browser handles the cookies per hostname, is there a way to handle cookies per path (webapp) ? If you've actually deployed two separate webapps then the session ids ought to be different. Session data is not portable between separate webapps. p Thank in advance ste - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: different jsessionid for different webapps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, Pid wrote: Stefano Nichele wrote: Hi All, I have a strange (for me?) requirement for my application. Basically I have webapp A deployed in Tomcat A and webpp B deployed in Tomcat B. webappA is the main webapplication that provides the main web page to the the browser. That page contains an IFrame that points to webappB. Is there a way to have/use different JSESSIONID for the webapps ? I know the browser handles the cookies per hostname, is there a way to handle cookies per path (webapp) ? If you've actually deployed two separate webapps then the session ids ought to be different. Session data is not portable between separate webapps. The only exception would be for applications deployed inside one another's URI spaces. We used to have a situation where we had a ROOT webapp and another one deployed onto /foo (the original application has been deployed to ROOT, and we had to keep it there while deploying another one, too... it was silly and it's since been corrected). At any rate, we had weird problems with dual cookies being sent. The sessions wouldn't overlap, of course, but we had weirdness with the session being lost sometimes. It was combined with a third application that didn't use sessions at all and forwarded the requested session id behind the scenes back to the main application, and we could never tell which session id to use (because clients don't sent the Path along with the JSESSIONID cookie). Bottom line: beware deploying applications inside one another's URI spaces. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl6GRwACgkQ9CaO5/Lv0PDBtgCaA8fNcBF3XAV9sThnhJN7pOml d90An1LWimWvYNleDg6ng0vYyLN5ollR =cHaH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: different jsessionid for different webapps
Actually, you should have the path set in the cookie, too. Verify looking at your browser cookies. Be sure not to have something like: emptySessionPath=true in the connector definition in server.xml (usually we have to set it to true because when not set or set to false we have errors due to security checks made by DWR on crossdomain scripting) On Friday 23 January 2009 18:35:11 Stefano Nichele wrote: Hi All, I have a strange (for me?) requirement for my application. Basically I have webapp A deployed in Tomcat A and webpp B deployed in Tomcat B. webappA is the main webapplication that provides the main web page to the the browser. That page contains an IFrame that points to webappB. Is there a way to have/use different JSESSIONID for the webapps ? I know the browser handles the cookies per hostname, is there a way to handle cookies per path (webapp) ? Thank in advance ste - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org