-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 9/4/15 4:40 PM, Jeffrey Janner wrote: > I'm surprised that Tomcat would use the "wrong" session id for > URL-rewriting when presenting the login screen. Are you saying > that, when showing the login page for /APP2, Tomcat will: > > a. Place a session identifier in the URL with value X b. Return a > Set-Cookie response header for JSESSIONID with value Y > > Where X != Y? >> So far, it looks like it is maintaining an X=Y philosophy. So >> that's a non-starter. Maybe we aren't communicating well: I'd expect to see X = Y *100% of the time*. The session id for both the URL *and* the cookie should be the same, otherwise mass confusion would ensue. > But you do use Tomcat's session-tracking mechanisms, right? > >> Yes, and the problem only rears its ugly head on a successful >> login (app expires old cookie, creates a new one). Usually, Tomcat won't explicitly expire an old JSESSIONID cookie... just set another one with a new value. The browser should replace the old value with the new one. >> User never even sees a new page, just an app-generated "session >> expired" error. Trying to see things in access logs, but nothing >> there I can see. Hmm. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8H7uAAoJEBzwKT+lPKRYf30QAJ6V2G22zeRhRS7pl3rkhk7w 4/de4gpP+HfS/TYdOrLWr/qn26VPM38xjqPTuOvLTTGNfqgTdKhhrpQwEtHA9iSj 9K3oFmoEN7vXxshKjp2Q5bmjKemez1NVX43bwolq8+fTjVSlGZwTZcSA8+n2rJ05 vV5mBT+O4iqdYT1L1zdUj8XGWBS7hDmL9XCJM+08c4Rxajin37J4Xebi1HBAIM5a WLijOUNAGHnkfDfpipxBgRcPly/wj//D0TdAZRMLqjVBh3DN6Lxhi59IOIiQgOYc vu7l+GsimC1QI9/qM88JYlOXzJqpncjdYddyiJXdjvs1b7Rqk2QFGNyzE+njtPYK icatILkejaN4Ic73mZZtHck50uY7vUagoZCAgsi48vMxsNXraFqrsN6NlKVVI3RN L11+z7+qftoirWKGgTFmADikm/sknYiaezaVRIYLJohADONeQQ0sd9NpR4LQOU1x 87kWL+6rNfhNrnsWlGpm9PiBY4ZhmfpTcgK5iIJG3/2teCpk6sjye0BuVxkgQUPd cHiTrhZgEVfkroWLTt55pKvIJmpX6BMA0R43UOk6NwTUrc0oKVqnZvkTMxt95b0m lhHTRGFloCK3vKpz6ebeKowLz0Pc9rRBn6sQAANZgPd67m8XGjUDZ5lNBuz7XH/D SfggjrqFB4x52K+EDETR =LgVZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
