Thomas, On 1/8/16 8:00 AM, Thomas Scheffler wrote: > Am 08.01.16 um 11:43 schrieb Olaf Kock: >> Is there any chance that the first and correctly authenticated cookies >> (despite the debug output "secure=false") are https-only cookies and >> won't get transmitted in http, thus triggering new sessions? E.g. any >> chance they get rewritten at another level (Apache httpd, ServletFilter, >> others) to be secure only - or that the debug output is slightly >> incorrect because it omits the secure flag? > > This is from a test installation on the productive server where it can > only be observed. For simplicity I use the maven cargo plugin to setup > the tomcat here. It shows the same behavior on the productive server, > where it uses HTTPS in combination with Apache HTTPD. > > I use BeanUtil.describe() to produce the cookie String. So this should > all be correct. > > This error comes up on every browser with at least a certain number of > request to that servlet. It has something to do with a race condition or > side effect I'm not aware off. > > If I do not use container authentication, HTTP sessions won't get lost. > > Hunting this bugs for so many weeks now and ran out of ideas.
Tomcat will change the session identifier when the user authenticates. If you are creating a session before login, you'll see that the session id changes when authentication is successful. This is to protect against session-fixation attacks. Can you explain why the changing session id breaks your application? Are you storing session ids somewhere and just not updating the session id list when the session id changes? It should be possibly to listen for that event and update your session id list. Or maybe there's a better way to accomplish your goal rather than keeping your own session id list. (I'm guessing you have a session id list because it would best explain the behavior you are describing here.) -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
