5 Replies Latest reply on Jun 17, 2010 3:04 AM by jfclere

    What happened to my web session data?

    zurchman
    zurchman Jun 14, 2010 4:37 PM

      1) Can someone please explain why, after migrating a web app from 4.0.5.GA to 5.1.0.GA all my session data is not found?

       

      To help me understand this issue:

       

      2) Could someone please explain this mysterious notation in jbossweb.sar context.xml?

       

      <!-- Session persistence is disable by default. To enable for all web
         apps set the pathname to a non-empty value:
         <Manager pathname="SESSIONS.ser" />

       

         To enable session persistence for a single web app, add a
         WEB-INF/context.xml
         -->

       

      3) Could someone please explain the significance of setting <SessionCookie path="/" />

        • 1. Re: What happened to my web session data?
          jfclere
          jfclere Jun 15, 2010 12:07 PM (in response to zurchman)

          1) Weird what do you mean exactly.

           

          2) You could manager to persist session between restarts (if the session can be serialized).

           

          3) <SessionCookie path="/" /> that is like the emptySessionPath of Connector of the previous versions.

            • Actions
          • 2. Re: What happened to my web session data?
            zurchman
            zurchman Jun 15, 2010 2:20 PM (in response to jfclere)

            I have an application that has been running for years on JBoss 4.0.5.GA.  It relies on session data.  The request is forwarded to JBoss from another Tomcat Web server.

             

            I am attempting to upgrade to 5.1.0.GA and it appears that the session tracking behavior has changed dramatically.

             

            Here is a log excerpt from 4.0.5.GA with org.apache logging set to DEBUG.  As you can see, the requested session is accepted and "recycled".


            2010-06-15 13:55:42,429 DEBUG [org.apache.catalina.connector.CoyoteAdapter]  Requested cookie session id is 600539E4F497318DC2252E1D0B8B9235.node01
            2010-06-15 13:55:42,430 INFO  [Ajax] Servlet service: service
            2010-06-15 13:55:42,430 INFO  [Ajax] 2010-06-15 13:55:42 Insecure session:600539E4F497318DC2252E1D0B8B9235.node01
            2010-06-15 13:55:42,430 INFO  [STDOUT] Context path: /context

             

            Below is a similar exchange from 5.1.0.GA.  As you can see, JBoss is insisting on creating a new session.

             

            2010-06-15 12:50:12,322 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-0.0.0.0-8080-3)  Requested cookie session id is F2921DA6BE7D74F6C17D7ACD143C4290.node01
            2010-06-15 12:50:12,324 INFO  [Ajax] (http-0.0.0.0-8080-3) Servlet service: service
            2010-06-15 12:50:12,325 INFO  [Ajax] (http-0.0.0.0-8080-3) 2010-06-15 12:50:12 Insecure session:E6F6CC40DAB0FD85F8C010E0D5158AC6

            2010-06-15 12:50:12,325 INFO  [STDOUT] (http-0.0.0.0-8080-3) Context path: /context

              • Actions
            • 3. Re: What happened to my web session data?
              jfclere
              jfclere Jun 16, 2010 2:52 AM (in response to zurchman)

              Well it seems you are using "Session fixation" bugs linked to emptySessionPath in the Connectors. Those where fixed and the default behaviour doesn't allow the unsafe behaviour any more. (Guessing you are using a unpatched community 4.0.5.GA).

              To get the unsafe behaviour make sure you have org.apache.catalina.connector.Request.SESSION_ID_CHECK set to false and use <SessionCookie path="/" /> in each context.xml of the jboss applications.

                • Actions
              • 4. Re: What happened to my web session data?
                zurchman
                zurchman Jun 16, 2010 1:06 PM (in response to jfclere) 
                I added "-Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false" to my startup and it looks 
                like that solved the problem.  Thank you!

                Below are some fragments from org.apache.catalina.connector.Request from the 5.1.0.GA source. 
                 
                It looks like SESSION_ID_CHECK defaults to false, but I didn't get the desired behavior until 
                I set it in the startup.
                

                

                public class Request
                

                    implements HttpServletRequest {

                

                    protected static final boolean SESSION_ID_CHECK = 
                        Boolean.valueOf(System.getProperty("org.apache.catalina.connector.Request.SESSION_ID_CHECK",
                

                "false")).booleanValue();
                

                  ...

                 

                Just to document this for anyone facing the same issue...

                 

                Below is a fragment from doGetSession(...)

                 

                It looks like if SESSION_ID_CHECK is false, as long as the requested session is from a cookie, the session will be created.

                 

                // Create a new session if requested and the response is not committed

                ...

                        // Verify that the submitted session id exists in one of the host's web applications
                        String sessionId = requestedSessionId;
                        if (sessionId != null) {
                            if (SESSION_ID_CHECK) {
                                boolean found = false;
                                try {
                                    if (!found) {
                                        Container children[] = getHost().findChildren();
                                        for (int i = 0; (i < children.length) && !found; i++) {
                                            if ((children[i].getManager() != null)
                                                    && (children[i].getManager().findSession(sessionId) != null)) {
                                                found = true;
                                            }
                                        }
                                    }
                                } catch (IOException e) {
                                    // Ignore: one manager is broken, and it will show up elsewhere again
                                }
                                if (!found) {
                                    sessionId = null;
                                }
                            } else if (!isRequestedSessionIdFromCookie()) {
                                sessionId = null;
                            }
                        }
                        session = manager.createSession(sessionId);

                 

                        // Creating a new session cookie based on that session
                        // If there was no cookie with the current session id, add a cookie to the response
                        if ( (session != null) && (getContext() != null)
                               && getContext().getCookies()
                               && !(isRequestedSessionIdFromCookie() && (session.getIdInternal().equals(getRequestedSessionId()))) ) {
                            TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME,
                                    session.getIdInternal());
                            configureSessionCookie(cookie);
                            response.addCookieInternal(cookie);
                        }

                 

                I have <SessionCookie path "/" /> set in the root context.xml in jbossweb.sar.  That must be good enough, since it works.

                 

                Thanks again

                  • Actions
                • 5. Re: What happened to my web session data?
                  jfclere
                  jfclere Jun 17, 2010 3:04 AM (in response to zurchman)

                  hm the property is read from the catalina.properties in jbossweb.jar

                  org.apache.catalina.connector.Request.SESSION_ID_CHECK=true

                    • Actions