-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Terry,
On 4/9/2010 12:08 PM, Terry Horner wrote:
> That was a javascript error in the onsubmit in the logon form (the
> onSubmit called a function to disable the button which both submitted
> the form an returned true. d'oh), now fixed.
That's what I was figuring. Good to know that it's fixed.
> This hasn't fixed the overall problem though - the situation is still
> the same, only now the logs don't show two concurrent
> j_security_check requests (no surprises here).
:(
> There aren't any iframes or frames. The navbar does use
> document.write to add several <div>s to the page.
Good. Presumably, all this content-generation is done on page load? It
shouldn't really matter, since you're using cookies for everything.
> Not with the JSESSIONID cookie, its adds other cookies with
> response.addCookie(), and reads those cookies, but doesn't modify
> any. The applications writes to and reads from the session, but
> leaves creating, expiring etc sessions to the server. The paths are
> all set to '/'
Ok.
> (1)user sees first logon page,with image
> (2) they logon, see the data page, but without the embedded navbar, the
> request for which is met with a logon page (not displayed because the browser
> expects a .js file)
> (3)user requests a different page, and are told to login again
> (4)they do, the system logs them on, get's the navbar request, logs them on
> again without the user doing anything (???), then from this point they have a
> normal user experience
>
> #Fields: c-dns x-H(remoteUser) date time x-H(protocol) cs-method cs-uri
> sc-status cs(Cookie) x-P(j_username)
> #Version: 2.0
> #Software: Apache Tomcat/6.0.26
> (1)
> localhost - 2010-04-09 15:32:14 'HTTP/1.1' GET
> /dataservlet1?timestamp=1205168884309 200 -
> localhost - 2010-04-09 15:32:15 'HTTP/1.1' GET /frontend/images/image1.gif
> 200 '08E40C3900'
> (2)
> localhost - 2010-04-09 15:32:19 'HTTP/1.1' POST /j_security_check 302
> '08E40C3900'
Okay, that all looks normal. Note the 302 response which is directing
the client to re-request the original URL:
> localhost 'user75' 2010-04-09 15:32:22 'HTTP/1.1' GET
> /dataservlet1?timestamp=1205168884309 200 -
Hmm... no cookie included with this request. I wonder why.
> localhost - 2010-04-09 15:32:22 'HTTP/1.1' GET
> /frontend/includes/functions.js 200 '08E40C3900'
> localhost - 2010-04-09 15:32:24 'HTTP/1.1' GET
> /javascriptservlet?request=common.js 200 '08E40C3900'
Old (stale) session id :(
> localhost - 2010-04-09 15:33:00 'HTTP/1.1' GET
> /frontend/images/global/logo.gif 200 'B5F7F32D85'
> (3)
New session id. This request was made 30 seconds after the previous one.
Is this the same client?
> localhost - 2010-04-09 15:33:02 'HTTP/1.1' GET
> /dataservlet2?timestamp=1270827182637 200 'B5F7F32D85'
> localhost - 2010-04-09 15:33:02 'HTTP/1.1' GET
> /frontend/images/global/image1.gif 200 'B5F7F32D85'
> (4)
> localhost - 2010-04-09 15:33:06 'HTTP/1.1' POST /j_security_check 302
> 'B5F7F32D85'
Another login interception (to /dataservlet2, probably) and redirect to
original URL.
> localhost 'user75' 2010-04-09 15:33:06 'HTTP/1.1' GET
> /dataservlet2?timestamp=1270827182637 200 'B5F7F32D85'
Authentication in this case doesn't appear to have switched the session id.
> localhost 'user75' 2010-04-09 15:33:08 'HTTP/1.1' GET
> /javascriptservlet?request=common.js 200 'E892F3EB0B'
> and from here on all requests use the E892F3EB0B cookie
...which appears to be the re-assigned session id for the login
associated with the B5F7F32D85 session id.
That's all very weird. What's your session timeout? I'm wondering why at
2010-04-09 15:33:00 there was a "bare" request for an image, and then
why there was no session id accompanying the request for /dataservlet1
at 2010-04-09 15:32:22.
> Terry
> &�W2��'WB����VVB���&R���f�&��F����У���z{C��h�+b�v���!���~)^���"{^�'��&�y+Z��q�Ǭ���~�&"{^�'��X��Ś�^�����wb��mi�^u�zz'jg��b'���q�Պ��Y�e����Ƨ��m�+&z����u�.�ح���~����'�
> �z�'v��z���
That looks weird :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAku/W9YACgkQ9CaO5/Lv0PDXtACeI2f8hX5+DqdmukGrvZvko02S
0yoAnjxMhymHkxTn1le7bW1L3tAJlhrS
=TnKR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
