-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jerry,
On 4/11/19 15:29, Jerry Malcolm wrote: > Alternatively, if I had a better understanding of how sessions are > managed by both TC and the browser, it might help me figure out > what is going wrong. I know a session key is generated by TC and > sent back in a response. And I'm assuming that the browser must > return that session key on subsequent calls. But if there are > several webapps on domain, how does the browser differentiate which > session key to send back on a subsequent response? Is it just > understood that the first 'folder' level under the domain (i.e. > context name) is always a different session key? > (myDomain.com/order vs. myDomain/account)? Or does the browser > send all session keys back per domain and let TC figure out which > one, if any, to use? Again, just looking for a little education > here.... Do you know if HTTP cookies or URL-parameters are being used for session-management? If you aren't sure, try logging-in to your application and look at the URLs and cookies. Typically, a web application will use cookies with the name JSESSIONID. If the session identifier is tracked in the URL, then you'll see ";jsessionid=[id]" in your URLs after the path but before the query string. It's very easy to "lose" a URL-tracked session id because every single URL generated by your application must include that parameter. A sinle miss can cause the session to be lost by the client. If you are using SSO (always with a cookie), it can mask the dropping of the session in this way. It's harder to "lose" a session cookie since the browser typically manages that. Cookies are tracked per web-application using each application's path. The browser should only return a single cookie for a given path. If you have applications that share a URL space (e.g. /master and /master/sub and /master/sub2) then things can get very confusing for the browser and the server. It's best not to overlap URL-spaces in this way. Are you using clustering or anything else like that which might also cause session-ids to change? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyvr/kACgkQHPApP6U8 pFg4KBAAi0qYZDxX0TGApjLOhwTqtP3u22tT9+JXEjcwylIfx+WaURgNTTgEUQQJ rJMkwBBugCU1cgusveBsAJUtuDhe9QMkmx0BKI4JF12hzy+nk8BN/yC0crcvfgfz NIfHWOHV2eczu5ZMDaYeyYOiUM27b+k4Xl0YR0xRtYeJ7/HdnxaklfPojXzFNUhJ vRa6GSjtgCI6JcW+eHPy5T2OmLtdYatHcY+S9qtOJvNsf3mf1WFDHCV6iHR+9NTP 2artOzKAOWe/HLoKo9h8tjSuzgMrodE2dnzdu/DUs1JJjDLl5INXp7WXR6z5BshB oK/op5+e7dV/7BONc9HHEh/99kivgEu86DQ3H6OfQF2+oNVy5kuyzY12/OMvJusg oppLZYV6XCVAUduwkP5W1SjBJWjDuUkQwtSRQ6O2Vren1wI3GIZtSvfZHygEM2Ht X67QyMLJQEh9yZedtdUF9gGJzkREnibxScBtFJc4HpuBezs1HQ4eOk2WTnTpmiAL w38IEM6b/9snSzHcqxXSkkx3vZjf3EuEfZKJwymzC5iHADo6KZsW+aYB4dzrFoJa E5xtJRKZT5i5CHLr7l5bmV4QifZrQa50UA47fe+KvfQiQJW5xZG2lTFl2as6bNGW 4EgcPk6yHDVaGF4xqBN84kp1fqJ++G0c32b/Ogm0Hwfm/ShOvCc= =9pTl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
