-
1. Re: What happened to my web session data?
jfclere Jun 15, 2010 12:07 PM (in response to zurchman)1) Weird what do you mean exactly.
2) You could manager to persist session between restarts (if the session can be serialized).
3) <SessionCookie path="/" /> that is like the
emptySessionPath of Connector of the previous versions.
-
2. Re: What happened to my web session data?
zurchman Jun 15, 2010 2:20 PM (in response to jfclere)I have an application that has been running for years on JBoss 4.0.5.GA. It relies on session data. The request is forwarded to JBoss from another Tomcat Web server.
I am attempting to upgrade to 5.1.0.GA and it appears that the session tracking behavior has changed dramatically.
Here is a log excerpt from 4.0.5.GA with org.apache logging set to DEBUG. As you can see, the requested session is accepted and "recycled".
2010-06-15 13:55:42,429 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 600539E4F497318DC2252E1D0B8B9235.node01
2010-06-15 13:55:42,430 INFO [Ajax] Servlet service: service
2010-06-15 13:55:42,430 INFO [Ajax] 2010-06-15 13:55:42 Insecure session:600539E4F497318DC2252E1D0B8B9235.node01
2010-06-15 13:55:42,430 INFO [STDOUT] Context path: /contextBelow is a similar exchange from 5.1.0.GA. As you can see, JBoss is insisting on creating a new session.
2010-06-15 12:50:12,322 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-0.0.0.0-8080-3) Requested cookie session id is F2921DA6BE7D74F6C17D7ACD143C4290.node01
2010-06-15 12:50:12,324 INFO [Ajax] (http-0.0.0.0-8080-3) Servlet service: service
2010-06-15 12:50:12,325 INFO [Ajax] (http-0.0.0.0-8080-3) 2010-06-15 12:50:12 Insecure session:E6F6CC40DAB0FD85F8C010E0D5158AC62010-06-15 12:50:12,325 INFO [STDOUT] (http-0.0.0.0-8080-3) Context path: /context
-
3. Re: What happened to my web session data?
jfclere Jun 16, 2010 2:52 AM (in response to zurchman)Well it seems you are using "Session fixation" bugs linked to
emptySessionPath in the Connectors. Those where fixed and the default behaviour doesn't allow the unsafe behaviour any more. (Guessing you are using a unpatched community 4.0.5.GA).
To get the unsafe behaviour make sure you have org.apache.catalina.connector.Request.SESSION_ID_CHECK set to false and use <SessionCookie path="/" /> in each context.xml of the jboss applications.
-
4. Re: What happened to my web session data?
zurchman Jun 16, 2010 1:06 PM (in response to jfclere)I added "-Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false" to my startup and it looks
like that solved the problem. Thank you!Below are some fragments from org.apache.catalina.connector.Request from the 5.1.0.GA source.
It looks like SESSION_ID_CHECK defaults to false, but I didn't get the desired behavior until
I set it in the startup.
public class Request
implements HttpServletRequest {
protected static final boolean SESSION_ID_CHECK =
Boolean.valueOf(System.getProperty("org.apache.catalina.connector.Request.SESSION_ID_CHECK","false")).booleanValue();
...Just to document this for anyone facing the same issue...
Below is a fragment from doGetSession(...)
It looks like if SESSION_ID_CHECK is false, as long as the requested session is from a cookie, the session will be created.
// Create a new session if requested and the response is not committed
...
// Verify that the submitted session id exists in one of the host's web applications
String sessionId = requestedSessionId;
if (sessionId != null) {
if (SESSION_ID_CHECK) {
boolean found = false;
try {
if (!found) {
Container children[] = getHost().findChildren();
for (int i = 0; (i < children.length) && !found; i++) {
if ((children[i].getManager() != null)
&& (children[i].getManager().findSession(sessionId) != null)) {
found = true;
}
}
}
} catch (IOException e) {
// Ignore: one manager is broken, and it will show up elsewhere again
}
if (!found) {
sessionId = null;
}
} else if (!isRequestedSessionIdFromCookie()) {
sessionId = null;
}
}
session = manager.createSession(sessionId);// Creating a new session cookie based on that session
// If there was no cookie with the current session id, add a cookie to the response
if ( (session != null) && (getContext() != null)
&& getContext().getCookies()
&& !(isRequestedSessionIdFromCookie() && (session.getIdInternal().equals(getRequestedSessionId()))) ) {
TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
response.addCookieInternal(cookie);
}I have <SessionCookie path "/" /> set in the root context.xml in jbossweb.sar. That must be good enough, since it works.
Thanks again
-
5. Re: What happened to my web session data?
jfclere Jun 17, 2010 3:04 AM (in response to zurchman)hm the property is read from the catalina.properties in jbossweb.jar
org.apache.catalina.connector.Request.SESSION_ID_CHECK=true