Hi, Chris, thanks for the quick reply! Right now I'm just grasping at straws. If I can prove the JSESSIONID remains the same, and the previous URL is still lost, I'll have definitive proof that the application code is somehow at fault. Right now I have this gray area where it looks (to application devs like me) that Tomcat is losing the session. Can you help me bounce this hot potato back to my fellow devs? :-) Thanks!
--HarDy ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, September 03, 2015 10:45 AM To: Tomcat Users List Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Harry, On 9/3/15 11:12 AM, Pottinger, Hardy J. wrote: > Hi, I'm a committer for DSpace [1] (a Java servlet) and I'm working > on a bug [2]. This bug presents with the following symptoms: > > 1) user searches site, finds an item of interest, attempts to > access the item, but is not currently logged in, so is presented > with a "please enter password" challenge; 2) user chooses to > authenticate via Shibboleth and is passed on to a Shibboleth IdP > for authentication 3) user authenticates successfully 4) user is > returned to the home page of the site, instead of the item > previously requested > > DSpace stores the previously-visited URL in the session. I can see > the JSESSIONID cookie at step 1 above. At step 4, the JSESSIONID > is new. In other words, the previous session (with the previous > URL information) is discarded. Are you sure that the stored URL has been discarded, or has only the session identifier changed? Tomcat changes session ids after successful authentication to prevent session-fixation attacks. > I suspect that there is some setting for Tomcat7 I'm missing, Is > there some way to tell Tomcat to allow these sessions to persist > during the roundtrip to the Shibboleth IdP and back? You *can* disable session-id changes, but then you lose a layer of security. Are you sure you need to disable this protection? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV6GsDAAoJEBzwKT+lPKRYu/UP/37iORrfWKKM8afe2XaBJ6Rx dWz2/hHW+dfbtWDMPI/cgPrO+EjcDahjT/9Sc908lpMaj8tD7PV9a/vC0TtDqS25 fr9f4BoU1QxwdJ5WAQ/QTTTQ44YzBBqwIFV/dlvLEAoT7GgT9/C2ieGqYrZ0WyMj FblX/uh/DYw93rt41fLuzp2+Tl8wRvNtGO+E0v0+W7kzcoTdzmkyXWFXlYo6BVJW qXjZWYkw7JiKCuXn4XZUmffqFApOJtQvU2g+G2bMvaGnGLB1jcUBBzxVFSJ9bwfJ Rmvc7vt/4ED1FtnMQtjGUknkZ0MBrq6si7T86Mt2fI3huGHqN12K6UsZVtAzk8Z8 5QFA+5V5X19izvyJizRGZgLODdpA4g9VGP+EUBUG4yOmJXA0bnfcD8hcS+tO285c 2kumpTxgfKSsWjU5wIvFR7HfcY8w9XQxa774CoDsFlJPp95MWL6pH9+NUMyq+9I8 OKEYls3N5hjDnpliSqr11UGnEUNzfafugP4TIQOPnSnPHPkNsfRJ6Ng05KzvJd7j pV+0OFOxIcMfoVCNT/uPH88979o9WGWNv2fgky+mVc1DpSR1Dprxj5kYO5sJJdwC pxfTC5jD+OdjSBlcIzKyqKN5XL7umlL5v8DBXY3Ts/faWiyNhXLOolgx5s5xolgW cS3gtWkxRr/gGqYugTib =E2yQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org