-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terry,
On 4/9/2010 12:08 PM, Terry Horner wrote: > That was a javascript error in the onsubmit in the logon form (the > onSubmit called a function to disable the button which both submitted > the form an returned true. d'oh), now fixed. That's what I was figuring. Good to know that it's fixed. > This hasn't fixed the overall problem though - the situation is still > the same, only now the logs don't show two concurrent > j_security_check requests (no surprises here). :( > There aren't any iframes or frames. The navbar does use > document.write to add several <div>s to the page. Good. Presumably, all this content-generation is done on page load? It shouldn't really matter, since you're using cookies for everything. > Not with the JSESSIONID cookie, its adds other cookies with > response.addCookie(), and reads those cookies, but doesn't modify > any. The applications writes to and reads from the session, but > leaves creating, expiring etc sessions to the server. The paths are > all set to '/' Ok. > (1)user sees first logon page,with image > (2) they logon, see the data page, but without the embedded navbar, the > request for which is met with a logon page (not displayed because the browser > expects a .js file) > (3)user requests a different page, and are told to login again > (4)they do, the system logs them on, get's the navbar request, logs them on > again without the user doing anything (???), then from this point they have a > normal user experience > > #Fields: c-dns x-H(remoteUser) date time x-H(protocol) cs-method cs-uri > sc-status cs(Cookie) x-P(j_username) > #Version: 2.0 > #Software: Apache Tomcat/6.0.26 > (1) > localhost - 2010-04-09 15:32:14 'HTTP/1.1' GET > /dataservlet1?timestamp=1205168884309 200 - > localhost - 2010-04-09 15:32:15 'HTTP/1.1' GET /frontend/images/image1.gif > 200 '08E40C3900' > (2) > localhost - 2010-04-09 15:32:19 'HTTP/1.1' POST /j_security_check 302 > '08E40C3900' Okay, that all looks normal. Note the 302 response which is directing the client to re-request the original URL: > localhost 'user75' 2010-04-09 15:32:22 'HTTP/1.1' GET > /dataservlet1?timestamp=1205168884309 200 - Hmm... no cookie included with this request. I wonder why. > localhost - 2010-04-09 15:32:22 'HTTP/1.1' GET > /frontend/includes/functions.js 200 '08E40C3900' > localhost - 2010-04-09 15:32:24 'HTTP/1.1' GET > /javascriptservlet?request=common.js 200 '08E40C3900' Old (stale) session id :( > localhost - 2010-04-09 15:33:00 'HTTP/1.1' GET > /frontend/images/global/logo.gif 200 'B5F7F32D85' > (3) New session id. This request was made 30 seconds after the previous one. Is this the same client? > localhost - 2010-04-09 15:33:02 'HTTP/1.1' GET > /dataservlet2?timestamp=1270827182637 200 'B5F7F32D85' > localhost - 2010-04-09 15:33:02 'HTTP/1.1' GET > /frontend/images/global/image1.gif 200 'B5F7F32D85' > (4) > localhost - 2010-04-09 15:33:06 'HTTP/1.1' POST /j_security_check 302 > 'B5F7F32D85' Another login interception (to /dataservlet2, probably) and redirect to original URL. > localhost 'user75' 2010-04-09 15:33:06 'HTTP/1.1' GET > /dataservlet2?timestamp=1270827182637 200 'B5F7F32D85' Authentication in this case doesn't appear to have switched the session id. > localhost 'user75' 2010-04-09 15:33:08 'HTTP/1.1' GET > /javascriptservlet?request=common.js 200 'E892F3EB0B' > and from here on all requests use the E892F3EB0B cookie ...which appears to be the re-assigned session id for the login associated with the B5F7F32D85 session id. That's all very weird. What's your session timeout? I'm wondering why at 2010-04-09 15:33:00 there was a "bare" request for an image, and then why there was no session id accompanying the request for /dataservlet1 at 2010-04-09 15:32:22. > Terry > &�W2�'WB��VVB��&R��f�&�F����У���z{C��h�+b�v���!���~)^���"{^�'�&�y+Z��q�Ǭ��~�&"{^�'�X��Ś�^�����wb��mi�^u�zz'jg��b'���q�Պ��Y�e���Ƨ��m�+&z���u�.�ح���~����'� > �z�'v��z�� That looks weird :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku/W9YACgkQ9CaO5/Lv0PDXtACeI2f8hX5+DqdmukGrvZvko02S 0yoAnjxMhymHkxTn1le7bW1L3tAJlhrS =TnKR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org