Re: Apache Logs, Session IDs, and PageExpiredException
What do you mean with sessionid disappears? From the url? Thats basic tomcat, the first urls are with session id but if session cookie works it wont append it to the url, or you really have to tell tomcat that it has to do that everytime. On 17/06/2009, Jeremy Levy jel...@gmail.com wrote: We see a very similar issue: Between one request to another that happen within a matter of seconds / minutes the sessionid disappears. A lot of our traffic is mobile so I assume some of it is crappy browser implementation. We have not been able to reproduce it any meaningful way. We have been able to mitigate the effect on our users by making as many pages as possible bookmarkable as well as including cookie based auto-login. I have seen other things cause this however, if you are using jvmRoute with a node that is down and your don't properly fail over you will consistently get this error. For what it's worth we are using Wicket 1.3.6 (but been anecdotally having the issue since 1.3.0 or earlier) in Tomcat/JBoss 4.2.2. Jeremy On Thu, Jun 11, 2009 at 4:31 PM, Dane Laverty danelave...@gmail.com wrote: Thanks for pointing that out. I've tried some other changes, so I'll wait and see how they work out. However, if the problem persists I'll look into the possibility of it being an HTTPS-related issue. That line of reasoning hadn't ever occurred to me. Dane On Thu, Jun 11, 2009 at 1:09 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: good catch Jason. We have also ran into this when implementing wicket's @RequireHttps annotation, there is a javadoc section in HttpsRequestCycleProtocol that talks about this cookie pain. -igor On Thu, Jun 11, 2009 at 1:03 PM, Jason Leaja...@kumachan.net.nz wrote: I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -...
Re: Apache Logs, Session IDs, and PageExpiredException
I have my apache log configured to include the cookies. I'm not talking about the URL. Jeremy On Fri, Jun 19, 2009 at 2:51 AM, Johan Compagner jcompag...@gmail.comwrote: What do you mean with sessionid disappears? From the url? Thats basic tomcat, the first urls are with session id but if session cookie works it wont append it to the url, or you really have to tell tomcat that it has to do that everytime. On 17/06/2009, Jeremy Levy jel...@gmail.com wrote: We see a very similar issue: Between one request to another that happen within a matter of seconds / minutes the sessionid disappears. A lot of our traffic is mobile so I assume some of it is crappy browser implementation. We have not been able to reproduce it any meaningful way. We have been able to mitigate the effect on our users by making as many pages as possible bookmarkable as well as including cookie based auto-login. I have seen other things cause this however, if you are using jvmRoute with a node that is down and your don't properly fail over you will consistently get this error. For what it's worth we are using Wicket 1.3.6 (but been anecdotally having the issue since 1.3.0 or earlier) in Tomcat/JBoss 4.2.2. Jeremy On Thu, Jun 11, 2009 at 4:31 PM, Dane Laverty danelave...@gmail.com wrote: Thanks for pointing that out. I've tried some other changes, so I'll wait and see how they work out. However, if the problem persists I'll look into the possibility of it being an HTTPS-related issue. That line of reasoning hadn't ever occurred to me. Dane On Thu, Jun 11, 2009 at 1:09 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: good catch Jason. We have also ran into this when implementing wicket's @RequireHttps annotation, there is a javadoc section in HttpsRequestCycleProtocol that talks about this cookie pain. -igor On Thu, Jun 11, 2009 at 1:03 PM, Jason Leaja...@kumachan.net.nz wrote: I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Laverty danelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET
Re: Apache Logs, Session IDs, and PageExpiredException
We see a very similar issue: Between one request to another that happen within a matter of seconds / minutes the sessionid disappears. A lot of our traffic is mobile so I assume some of it is crappy browser implementation. We have not been able to reproduce it any meaningful way. We have been able to mitigate the effect on our users by making as many pages as possible bookmarkable as well as including cookie based auto-login. I have seen other things cause this however, if you are using jvmRoute with a node that is down and your don't properly fail over you will consistently get this error. For what it's worth we are using Wicket 1.3.6 (but been anecdotally having the issue since 1.3.0 or earlier) in Tomcat/JBoss 4.2.2. Jeremy On Thu, Jun 11, 2009 at 4:31 PM, Dane Laverty danelave...@gmail.com wrote: Thanks for pointing that out. I've tried some other changes, so I'll wait and see how they work out. However, if the problem persists I'll look into the possibility of it being an HTTPS-related issue. That line of reasoning hadn't ever occurred to me. Dane On Thu, Jun 11, 2009 at 1:09 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: good catch Jason. We have also ran into this when implementing wicket's @RequireHttps annotation, there is a javadoc section in HttpsRequestCycleProtocol that talks about this cookie pain. -igor On Thu, Jun 11, 2009 at 1:03 PM, Jason Leaja...@kumachan.net.nz wrote: I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459
Re: Apache Logs, Session IDs, and PageExpiredException
if your servlet container loses the session there isnt much we can do -igor On Wed, Jun 17, 2009 at 2:55 PM, Jeremy Levyjel...@gmail.com wrote: We see a very similar issue: Between one request to another that happen within a matter of seconds / minutes the sessionid disappears. A lot of our traffic is mobile so I assume some of it is crappy browser implementation. We have not been able to reproduce it any meaningful way. We have been able to mitigate the effect on our users by making as many pages as possible bookmarkable as well as including cookie based auto-login. I have seen other things cause this however, if you are using jvmRoute with a node that is down and your don't properly fail over you will consistently get this error. For what it's worth we are using Wicket 1.3.6 (but been anecdotally having the issue since 1.3.0 or earlier) in Tomcat/JBoss 4.2.2. Jeremy On Thu, Jun 11, 2009 at 4:31 PM, Dane Laverty danelave...@gmail.com wrote: Thanks for pointing that out. I've tried some other changes, so I'll wait and see how they work out. However, if the problem persists I'll look into the possibility of it being an HTTPS-related issue. That line of reasoning hadn't ever occurred to me. Dane On Thu, Jun 11, 2009 at 1:09 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: good catch Jason. We have also ran into this when implementing wicket's @RequireHttps annotation, there is a javadoc section in HttpsRequestCycleProtocol that talks about this cookie pain. -igor On Thu, Jun 11, 2009 at 1:03 PM, Jason Leaja...@kumachan.net.nz wrote: I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904
Apache Logs, Session IDs, and PageExpiredException
I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8939 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 1184 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/prototype.js HTTP/1.1 200 47603 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12 HTTP/1.1 200 4623 https://www.foodhandler.org/take-the-test%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :...
Re: Apache Logs, Session IDs, and PageExpiredException
yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8939 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 1184 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/prototype.js HTTP/1.1 200 47603 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12 HTTP/1.1 200 4623 https://www.foodhandler.org/take-the-test%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :... - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Apache Logs, Session IDs, and PageExpiredException
I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8939 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 1184 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/prototype.js HTTP/1.1 200 47603 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12 HTTP/1.1 200 4623 https://www.foodhandler.org/take-the-test%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :... - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org -- Jason Lea
Re: Apache Logs, Session IDs, and PageExpiredException
good catch Jason. We have also ran into this when implementing wicket's @RequireHttps annotation, there is a javadoc section in HttpsRequestCycleProtocol that talks about this cookie pain. -igor On Thu, Jun 11, 2009 at 1:03 PM, Jason Leaja...@kumachan.net.nz wrote: I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8939 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 1184 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/prototype.js HTTP/1.1 200 47603 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12 HTTP/1.1 200 4623 https://www.foodhandler.org/take-the-test%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3?wicket:interface=:12::: :... XXX.XXX.29.22 - - [11/Jun/2009:01:28:07 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459
Re: Apache Logs, Session IDs, and PageExpiredException
Thanks for pointing that out. I've tried some other changes, so I'll wait and see how they work out. However, if the problem persists I'll look into the possibility of it being an HTTPS-related issue. That line of reasoning hadn't ever occurred to me. Dane On Thu, Jun 11, 2009 at 1:09 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: good catch Jason. We have also ran into this when implementing wicket's @RequireHttps annotation, there is a javadoc section in HttpsRequestCycleProtocol that talks about this cookie pain. -igor On Thu, Jun 11, 2009 at 1:03 PM, Jason Leaja...@kumachan.net.nz wrote: I notice there are some secure requests there (https)... so I will now blindly assume you are having the same problem I had in the past... I had a problem with session ids changing when trying to swtich between secure/insecure pages. If your first request to a tomcat server is secure, and a session is created, tomcat will create a secure session id cookie that will only be sent in https requests. If you request a non-secure (http) page request it will not send the cookie, and a new insecure session cookie is created. One way to fix* this is to use a http request filter that checks for new session id cookie creation, and writing a new insecure cookie if a secure one has been created. Something like this: http://forum.springsource.org/archive/index.php/t-65651.html *when I say fix, I mean make the system less secure :) Igor Vaynberg wrote: yes, a changing sessionid will cause a page expired error because the client all of a sudden gets a new blank session. changing session ids can be caused by either session expiration or a manual session invalidation - like during a logout procedure. you have to figure out what causes the session to get dumped and a new one to be created in your application/servlet container. -igor On Thu, Jun 11, 2009 at 9:56 AM, Dane Lavertydanelave...@gmail.com wrote: I'm trying to track down the source of frequent PageExpiredExceptions that we're getting on our deployment server. One of the errors occured at 01:28:06 this morning. In the Apache logs, I discovered that the user's session ID spontaneously changed at that time, (see the change between lines 4 5 below, and then again between lines 11 12). Is that just a coincidence, or would a changing session ID cause the PageExpiredException? And if so, what causes the session ID to change? (I'm using Wicket 1.3.6. I can't replicate the errors in development, which sounds common according to the several PageExpiredException threads. I'm not seeing any sort of serialization errors either.) Thanks for your help! XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/Oregon2.jpg HTTP/1.1 200 22145 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/newVGrad.png HTTP/1.1 200 48736 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:03 -0700] GET /resources/comp.Comp/navBoxBottom.jpg HTTP/1.1 200 14140 https://www.foodhandler.org/login%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /pay%3bjsessionid=E0381EA98B6C107CD1D4DF8FDE5D88C3 HTTP/1.1 302 - -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /foodhandler/login;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 302 263 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:05 -0700] GET /login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8056 -... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/main.css HTTP/1.1 200 9904 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/print.css HTTP/1.1 200 459 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 8939 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js;jsessionid=271042707F280E26F7A08E6FFF108C22 HTTP/1.1 200 1184 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET /resources/comp.Comp/prototype.js HTTP/1.1 200 47603 https://www.foodhandler.org/login%3bjsessionid=271042707F280E26F7A08E6FFF108C22 ... XXX.XXX.29.22 - - [11/Jun/2009:01:28:06 -0700] GET