Was not able to figure out how to use Wireshark. But I found an extension called Tamper Data for Firefox.
On browser I type https://localhost/myaccount/index.faces Tamper Data shows - a GET request for the above page with no JSESSIONID, which returns 200 - OK There are other requests such as wpad.dat. No idea what that is. There are also requests to get the images and style sheets. The above response is actually the login page. Now I login. Tamper Data shows - a POST request for the http://localhost/myaccount/j_security_check page with JSESSION passed in The server evidently returns status code 302 - moved temporarily to the above request, and the location returned is "http://localhost/myacccount/index.faces";. The above makes sense, because the code in FormAuthenticator.java is response.sendRedirect(response.encodeRedirectURL(requestURI)); which redirects the user to the saved page. So the browser sends a request to the above page, passing in the JSESSIONID, but probably no body data as that has already been saved. But in my application, the above call to sendRedirect does not send anything back to the client. Instead, the server directly goes on to handle the saved request, as if the sendRedirect was a jsp:forward. So why? It seems my code needs to call HttpURLConnection.setFollowRedirects(false); This way, when j_security_check finishes, my code sees the response code 302. My code then resubmits the request, passing in JSESSIoNID. It looks like the default behavior of HttpURLConnection is to automatically go to the redirect page (without adding the JSESSIONID). --- On Tue, 12/16/08, Caldarale, Charles R <chuck.caldar...@unisys.com> wrote: > From: Caldarale, Charles R <chuck.caldar...@unisys.com> > Subject: RE: How to install the session cookie into the original request of > the secure area? > To: "Tomcat Users List" <users@tomcat.apache.org> > Date: Tuesday, December 16, 2008, 12:38 PM > > From: removeps-gro...@yahoo.com > [mailto:removeps-gro...@yahoo.com] > > Subject: How to install the session cookie into the > original > > request of the secure area? > > > > When making a connection to the secure area of my > > website through code, the original request is saved, > > but the JSESSIONID cookie is not added to it. > > You need to invest* in a copy of Wireshark so you can see > the differences in the requests that a browser sends vs the > ones your client code makes. > > - Chuck > > *It's open source, so the investment is primarily one > of education. > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR > OTHERWISE PROPRIETARY MATERIAL and is thus for use only by > the intended recipient. If you received this in error, > please contact the sender and delete the e-mail and its > attachments from all computers. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: > users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
