2016-01-08 19:02 GMT+03:00 Christopher Schultz <ch...@christopherschultz.net>: > Thomas, > > On 1/8/16 8:00 AM, Thomas Scheffler wrote: >> Am 08.01.16 um 11:43 schrieb Olaf Kock: >>> Is there any chance that the first and correctly authenticated cookies >>> (despite the debug output "secure=false") are https-only cookies and >>> won't get transmitted in http, thus triggering new sessions? E.g. any >>> chance they get rewritten at another level (Apache httpd, ServletFilter, >>> others) to be secure only - or that the debug output is slightly >>> incorrect because it omits the secure flag? >> >> This is from a test installation on the productive server where it can >> only be observed. For simplicity I use the maven cargo plugin to setup >> the tomcat here. It shows the same behavior on the productive server, >> where it uses HTTPS in combination with Apache HTTPD. >> >> I use BeanUtil.describe() to produce the cookie String. So this should >> all be correct. >> >> This error comes up on every browser with at least a certain number of >> request to that servlet. It has something to do with a race condition or >> side effect I'm not aware off. >> >> If I do not use container authentication, HTTP sessions won't get lost. >> >> Hunting this bugs for so many weeks now and ran out of ideas. > > Tomcat will change the session identifier when the user authenticates. > If you are creating a session before login, you'll see that the session > id changes when authentication is successful. This is to protect against > session-fixation attacks. > > Can you explain why the changing session id breaks your application? Are > you storing session ids somewhere and just not updating the session id > list when the session id changes? It should be possibly to listen for > that event and update your session id list. Or maybe there's a better > way to accomplish your goal rather than keeping your own session id > list. (I'm guessing you have a session id list because it would best > explain the behavior you are describing here.)
FYI, http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpSessionIdListener.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
