Jason Christian

+ Follow
since Feb 21, 2011
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Jason Christian

We care about the session ID because once authenticated, the authentication is tracked in the session, instead of having to hit the CAS server for every request. With Tomcat creating new sessions, it messes that up.

Come to find out, the issue is that Tomcat was modified to help prevent session fixation attacks. By default, a new session id is created on authentication. This started with 6.0.21 (Context configuration changeSessionIdOnAuthentication).
8 years ago
We are developing an app using Ajax on the client side and Tomcat on the server side. We have run into an issue with Tomcat returning different session ids between requests. We created a simple test app which sends Ajax requests to Tomcat. What we have found is:

1) sending multiple Ajax requests independently of each other to Tomcat results in different session ids, which is to be expected

2011/1/21 10:28:52.757 200 url=test/fetchOne sessionId=C7E2BCF7266EA208FC049F0F4A1848B5
2011/1/21 10:28:52.758 200 url=test/fetchTwo sessionId=B3D17000A4A481DB076547D8217493B6
2011/1/21 10:28:52.758 200 url=test/fetchThree sessionId=98C25FAB42F957A3BECA3C65917CE1B6

2) sending a single Ajax request and then sending the remaining requests after the first one has responded, we get the same session id across requests, which is expected

2011/1/21 10:28:24.470 200 url=test/fetchOne sessionId=A8A221C228367CAA2FE51E15F66210B7
2011/1/21 10:28:27.253 200 url=test/fetchTwo sessionId=A8A221C228367CAA2FE51E15F66210B7
2011/1/21 10:28:27.253 200 url=test/fetchThree sessionId=A8A221C228367CAA2FE51E15F66210B7

3) for both 1) and 2) above, if we add authentication (BASIC, CAS, etc...), initially we get different session ids across the Ajax requests, but eventually tomcat will return the same session id

2011/1/21 10:29:54.342 200 url=test/fetchOne sessionId=1C8A8255ADAA768E46124484C0C4D197
2011/1/21 10:29:56.597 200 url=test/fetchTwo sessionId=DE3AB5132A3B7F297D6E0CE2CE211C25
2011/1/21 10:29:56.597 200 url=test/fetchThree sessionId=B24A306F2D77A7B2812D6FFD686DC0E2
2011/1/21 10:29:57.813 200 url=test/fetchOne sessionId=2B9F6B5663EB205DA12C162512553831
2011/1/21 10:29:57.820 200 url=test/fetchTwo sessionId=2B9F6B5663EB205DA12C162512553831
2011/1/21 10:29:57.821 200 url=test/fetchThree sessionId=2B9F6B5663EB205DA12C162512553831

This seems to be happening with Tomcat 6.0.24 and up (including 7.0.8). This works as expected with Tomcat 6.0.20. We also tested using Jetty and it works as expected.

Anyone seen this before or have any ideas? Thanks.
8 years ago