-
1. Re: What happened to my web session data?
Jean-Frederic Clere Jun 15, 2010 12:07 PM (in response to Sidney Zurch)1) Weird what do you mean exactly.
2) You could manager to persist session between restarts (if the session can be serialized).
3) <SessionCookie path="/" /> that is like the
emptySessionPath of Connector of the previous versions.
-
2. Re: What happened to my web session data?
Sidney Zurch Jun 15, 2010 2:20 PM (in response to Jean-Frederic Clere)I have an application that has been running for years on JBoss 4.0.5.GA. It relies on session data. The request is forwarded to JBoss from another Tomcat Web server.
I am attempting to upgrade to 5.1.0.GA and it appears that the session tracking behavior has changed dramatically.
Here is a log excerpt from 4.0.5.GA with org.apache logging set to DEBUG. As you can see, the requested session is accepted and "recycled".
2010-06-15 13:55:42,429 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 600539E4F497318DC2252E1D0B8B9235.node01
2010-06-15 13:55:42,430 INFO [Ajax] Servlet service: service
2010-06-15 13:55:42,430 INFO [Ajax] 2010-06-15 13:55:42 Insecure session:600539E4F497318DC2252E1D0B8B9235.node01
2010-06-15 13:55:42,430 INFO [STDOUT] Context path: /contextBelow is a similar exchange from 5.1.0.GA. As you can see, JBoss is insisting on creating a new session.
2010-06-15 12:50:12,322 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-0.0.0.0-8080-3) Requested cookie session id is F2921DA6BE7D74F6C17D7ACD143C4290.node01
2010-06-15 12:50:12,324 INFO [Ajax] (http-0.0.0.0-8080-3) Servlet service: service
2010-06-15 12:50:12,325 INFO [Ajax] (http-0.0.0.0-8080-3) 2010-06-15 12:50:12 Insecure session:E6F6CC40DAB0FD85F8C010E0D5158AC62010-06-15 12:50:12,325 INFO [STDOUT] (http-0.0.0.0-8080-3) Context path: /context
-
3. Re: What happened to my web session data?
Jean-Frederic Clere Jun 16, 2010 2:52 AM (in response to Sidney Zurch)Well it seems you are using "Session fixation" bugs linked to
emptySessionPath in the Connectors. Those where fixed and the default behaviour doesn't allow the unsafe behaviour any more. (Guessing you are using a unpatched community 4.0.5.GA).
To get the unsafe behaviour make sure you have org.apache.catalina.connector.Request.SESSION_ID_CHECK set to false and use <SessionCookie path="/" /> in each context.xml of the jboss applications.
-
4. Re: What happened to my web session data?
Sidney Zurch Jun 16, 2010 1:06 PM (in response to Jean-Frederic Clere)I added "-Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false" to my startup and it looks
like that solved the problem. Thank you!Below are some fragments from org.apache.catalina.connector.Request from the 5.1.0.GA source.
It looks like SESSION_ID_CHECK defaults to false, but I didn't get the desired behavior until
I set it in the startup.
public class Request
implements HttpServletRequest {
protected static final boolean SESSION_ID_CHECK =
Boolean.valueOf(System.getProperty("org.apache.catalina.connector.Request.SESSION_ID_CHECK","false")).booleanValue();
...Just to document this for anyone facing the same issue...
Below is a fragment from doGetSession(...)
It looks like if SESSION_ID_CHECK is false, as long as the requested session is from a cookie, the session will be created.
// Create a new session if requested and the response is not committed
...
// Verify that the submitted session id exists in one of the host's web applications
String sessionId = requestedSessionId;
if (sessionId != null) {
if (SESSION_ID_CHECK) {
boolean found = false;
try {
if (!found) {
Container children[] = getHost().findChildren();
for (int i = 0; (i < children.length) && !found; i++) {
if ((children[i].getManager() != null)
&& (children[i].getManager().findSession(sessionId) != null)) {
found = true;
}
}
}
} catch (IOException e) {
// Ignore: one manager is broken, and it will show up elsewhere again
}
if (!found) {
sessionId = null;
}
} else if (!isRequestedSessionIdFromCookie()) {
sessionId = null;
}
}
session = manager.createSession(sessionId);// Creating a new session cookie based on that session
// If there was no cookie with the current session id, add a cookie to the response
if ( (session != null) && (getContext() != null)
&& getContext().getCookies()
&& !(isRequestedSessionIdFromCookie() && (session.getIdInternal().equals(getRequestedSessionId()))) ) {
TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
response.addCookieInternal(cookie);
}I have <SessionCookie path "/" /> set in the root context.xml in jbossweb.sar. That must be good enough, since it works.
Thanks again
-
5. Re: What happened to my web session data?
Jean-Frederic Clere Jun 17, 2010 3:04 AM (in response to Sidney Zurch)hm the property is read from the catalina.properties in jbossweb.jar
org.apache.catalina.connector.Request.SESSION_ID_CHECK=true