https://issues.apache.org/bugzilla/show_bug.cgi?id=50633
Konstantin Kolinko <knst.koli...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Konstantin Kolinko <knst.koli...@gmail.com> 2011-01-22
10:18:19 EST ---
> It looks like there is a stale cookie that somehow got reused.
It comes from the request that was cached when you were redirected to the login
form. That is by design.
Note, that since 6.0.21 the session id is changed when you successfully pass
authentication. This feature is an implementation for bug 45255 and can be
turned off in configuration.
More details below.
------------------------------------------------
Note: You are missing the following from your reproduction recipe:
1) The following user has to be added to tomcat-users.xml (it is commented out
by default):
<user username="tomcat" password="tomcat" roles="tomcat"/>
2) In do.jsp the request.getCookies() call can return null, which results in
NPE. I replaced the cycle on cookies in do.jsp with the following lines:
<% Cookie[] cookies = request.getCookies();
if (cookies == null) {
out.println("No cookies");
} else {
for (Cookie cookie : cookies) out.println(cookie.getName() + "=" +
cookie.getValue() + "<br/>");
}
%>
I am using Firefox 3.6.13 + Firebug 1.6.1, looking at the "Network" tab in
Firebug.
Here is what happens at the end of the First round, when clicking on "logout"
link:
-- Request (#1):
GET http://localhost:8080/cookie-bug/logout.jsp
Cookie: JSESSIONID=30D060D22DE3C7F061C0CE5CA54F1B1B
-- Response:
302 Moved Temporarily
Location: http://localhost:8080/cookie-bug/do.jsp
-- Request (#2):
GET http://localhost:8080/cookie-bug/do.jsp
Cookie: JSESSIONID=30D060D22DE3C7F061C0CE5CA54F1B1B
-- Response:
200 OK
Set-Cookie: JSESSIONID=01E55440D4AFC906EEB4B4B7899CD1AF; Path=/cookie-bug
--
The login page is displayed.
I am filling in password and submitting the form.
-- Request (#3):
POST http://localhost:8080/cookie-bug/j_security_check
Cookie: JSESSIONID=01E55440D4AFC906EEB4B4B7899CD1AF
-- Response:
302 Moved Temporarily
Location: http://localhost:8080/cookie-bug/do.jsp
-- Request (#4):
GET http://localhost:8080/cookie-bug/do.jsp
Cookie: JSESSIONID=01E55440D4AFC906EEB4B4B7899CD1AF
-- Response:
200 OK
Set-Cookie: JSESSIONID=8050014652FAB01314FC23D2774143BF; Path=/cookie-bug
--
The page displays:
Requested session id: 8050014652FAB01314FC23D2774143BF
Session id: 8050014652FAB01314FC23D2774143BF
Cookies:
JSESSIONID=30D060D22DE3C7F061C0CE5CA54F1B1B
The explanation:
Tomcat caches the request (#2) with all its headers and cookies and replays it
for you when browser resends the request after successful authentication. I.e.,
when (#4) is received you are not seeing it, but you are seeing data from (#2)
instead.
So the session id is new, but the cookie is an old one.
I do not see an issue here. I am closing this as INVALID. Please ask on the
users@ list if you have other questions.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
