Hello to all.
I have a problem with session tracking when I use secure connections:
This is the scenario:
On the server side, I have Slackware 8.0, with tomcat-4.0.3, apache 1.3.20 and a
simple servlet witch does only one thing:
public void doPost(HttpServletRequest request, HttpServletResponse response) throws
IOException, ServletException {
HttpSession session = request.getSession();
if(session.isNew()) log("this is a new session:"+session.getId());
ObjectInputStream in = new ObjectInputStream(request.getInputStream());
ObjectOutputStream out = new ObjectOutputStream(response.getOutputStream());
Object message = null;
try {
message = in.readObject();
out.writeObject(message);
out.flush();
} catch (Exception e) {
e.printStackTrace();
}finally{
in.close();
out.close();
}
}
On the client side, i use HttpConnection in order to connect to this servlet:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
String target = "http://myserver/access/AccessServlet";;
HttpURLConnection conn = (HttpURLConnection)new URL(target).openConnection();
if(sessionId != null) {
conn.setRequestProperty("Cookie", sessionId);
}
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setUseCaches(false);
ObjectOutputStream out = new ObjectOutputStream(conn.getOutputStream());
out.writeObject(null);
out.flush();
out.close();
String cookie = conn.getHeaderField("Set-cookie");
if (cookie != null) {
int semicolon = cookie.indexOf(';');
sessionId = cookie.substring(0, semicolon);
}
ObjectInputStream in = new ObjectInputStream(conn.getInputStream());
Object response = in.readObject();
in.close();
conn.disconnect();
***NOTE: sessionId is a string used to keep a session id once it is returned by the
first connection to the server;
If I am using http protocol, everything works fine.
If I use https protocos, the PROBLEM ocurs: sometimes, the server instantiates a NEW
HttpSession and sends it back to the client even if the request from the client is
set-up (via conn.setRequestProperty("Cookie", sessionId);) with the right session id.
The problem is happening no matter what kind of connection I use (direct to tomcat
configured with a SSL connector, or using apache+mod_ssl+mod_jk ).
The problem apears to depend of the j2se I use on the client side 'cause if I use
j2se1.4.0 the problem dissapears (but here I have a poor performance - inacceptable -
I have to wait 5-6 seconds until i have a response).
The problem stays with j2se1.3.1+jsse1.0.2
IMHO, the catalina container, creates a new httpsession if the user connected via
https uses a new sslsession. So, I can't overcome this problem, 'cause I can't force
the client to use the same sslsession negotiated after the first connection.
Any ideeas?
Gtreetings,
seven
