Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

IE9 shares session cookie between two different session

 
Maulin Rathod
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

We are using session cookies in our appliation. But sometimes in IE9 browser, session cookies are send even request are send from new browser session.

Here is scenario.

1) Open a IE9 browser and login request. (Here the application sets session cookie - Say CookieA).
2) close the browser.
3) Open IE9 browser and make login request (Here it send CookieA which was set by other session).


Please note that this is not always replicable by performing above steps. We have confirmed that CookieA is session cookie.

Any idea why IE9 is sending session cookie in new session.

Regards,

Maulin
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13074
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(Here the application sets session cookie - Say CookieA).


Are you talking about a HttpSession id cookie as managed by the container or a javax.servlet.http.Cookie created by your application?

If the latter, how is it created? Exact code.

Bill
 
Maulin Rathod
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bill,

I am talking about javax.servlet.http.Cookie created by our application.


We are calling below setHTTPOnlyCookie method to set cookieA.




setHTTPOnlyCookie(getCookieObject("CookieA", "CookieAValue", -1, ".example.com"), response)



/**
* This method will return an instance of <code>Cookie</code> object based on passed
* parameters, and also set domain name, cookie path and is cookie secure or not for
* particular cookie.
*/


public static Cookie getCookieObject(String name, String value, int maxAge, String domain){
Cookie cookie = new Cookie(name, value);
cookie.setDomain(domain);
cookie.setPath(getCookiePath(name));
cookie.setMaxAge(maxAge);
if(isCookieSecure()){
cookie.setSecure(true);
}
return cookie;
}


/**
* This method will add the cookie into response.
* The detail about cookie will be extracted from passed Cookie object.
* @param cookie
* @param response
* @throws Exception
* @since 10-06-2010
*/
public static void setHTTPOnlyCookie(Cookie cookie, HttpServletResponse response)throws Exception{
if(cookie.getMaxAge() != -1)
cookie.setValue(cookie.getValue() + "; Expires=" + getDateString(cookie.getMaxAge()) );
response.addHeader("Set-Cookie", getCookieConfigString(cookie));
}

/**
* This method use to create the cookie string which will be added into response header.
* @param cookie
* @return string of cookie
* @since 10-06-2010
*/
private static String getCookieConfigString(Cookie cookie){
StringBuilder sb = new StringBuilder();
sb.append(cookie.getName()).append("=").append(cookie.getValue()).append(";");
sb.append(" path").append("=").append(cookie.getPath()).append(";");
if(cookie.getDomain()!=null)
sb.append(" domain").append("=").append(cookie.getDomain()).append(";");
sb.append(" secure;");
sb.append(" HTTPOnly;");
return sb.toString();
}

/**
*
* @param maxAge
* @return
* @since
*/
private static String getDateString(int maxAge) {
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.SECOND, maxAge);
Date date = calendar.getTime();
SimpleDateFormat sdf = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss z");
TimeZone tz = TimeZone.getTimeZone("GMT:00");
sdf.setTimeZone(tz);
String dateString = sdf.format(date);
return dateString;
}


Please let me know if any further information required on this.


Regards,

Maulin
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic