8 Replies Latest reply on Nov 29, 2010 11:53 AM by mrfixit440

    new session id with new browser window with tomcat 6.0.29

    mrfixit440

      I have a webapp deployed to jboss 4.2.3.GA(including tomcat 6.0.20) with a IIS frontend using AJP 1.3.  IIS is using CAC authentication and will forward to jboss when successfull.  The first jsp that is hit after login, saves request.getRemoteUser() to session, creates a user object and saves that to session, and then it opens a new window to load a second jsp.  This second jsp reads the user object from session and begins to populate page with user specific info.  This setup works good.

       

      However, when I upgrade jbossweb.jar to tomcat 6.0.29, the session id is different between the 2 jsp pages, so I never can get the user object out of session in the second jsp and it fails to populate.  Both jsp's are in the same web context.  I tried firefox and IE 7.  It seems like the new browser window is causing the second jsp to report a different session id than the first jsp.

       

      Is there a configuration setting that I need to set for 6.0.29?

       

      Here is my server.xml snippet:

       

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true" clientAuth="false"
        strategy="ms" address="${jboss.bind.address}"
        keyAlias="foossl"
              ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
        SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
        keystoreFile="${jboss.server.home.dir}/conf/Certificates/FOO-server.keystore"
              keystorePass="123456"
              truststoreFile="${jboss.server.home.dir}/conf/Certificates/FOO-client.truststore"
              truststorePass="123456" algorithm="SunX509" sslProtocol="TLS"
        URIEncoding="UTF-8" />
                
          <!-- Define an AJP 1.3 Connector on port 8009 -->
          <Connector port="8009" address="${jboss.bind.address}" protocol="AJP/1.3"
               emptySessionPath="true" enableLookups="false" redirectPort="8443"
         URIEncoding="UTF-8" />

       

            <Engine name="jboss.web" defaultHost="localhost">

       

      Here is my jboss-web.deployer/context.xml:

       

      <Context cookies="true" crossContext="true" useHttpOnly="true">
         <!-- Session persistence is disable by default. To enable for all web
         apps set the pathname to a non-empty value:
         <Manager pathname="SESSIONS.ser" />

         To enable session persistence for a single web app, add a
         WEB-INF/context.xml
         -->
         <Manager pathname="" />

         <!-- Install an InstanceListener to handle the establishment of the run-as
         role for servlet init/destroy events.
         -->
         <InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>
        
      </Context>