https://issues.apache.org/bugzilla/show_bug.cgi?id=54340
--- Comment #1 from Konstantin Kolinko <knst.koli...@gmail.com> --- 1. Tomcat version = ? I'd guess that you are facing bug 53584, which was fixed in 7.0.30. > On top of this (and perhaps related to these problems), in the actual web > application a different session ID is actually printed. 2. As expected. See "changeSessionIdOnAuthentication" in http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html 3. It works for me in 7.0.34 To be sure, I changed the <web-app> element in your web.xml to use version="3.0" and relevant version of the schema, instead of 2.3 that you are using. A fragment of my access log: 127.0.0.1 - - [21/Dec/2012:20:38:59 +0400] "GET /test-form-auth/protected HTTP/1.1" 200 450 127.0.0.1 - - [21/Dec/2012:20:39:15 +0400] "POST /test-form-auth/j_security_check;jsessionid=38B9A84964A6005AA58ABC5CDA9F6367 HTTP/1.1" 302 - 127.0.0.1 - tomcat [21/Dec/2012:20:39:15 +0400] "GET /test-form-auth/protected HTTP/1.1" 200 59 Tested both with Firefox 17.0.1 and IE 8. Tomcat 7.0.34, BIO connector. Though there are two bits of a mystery: ------------------ a) Why access log did print jsessionid in the second request, but did not in the third one? FireBug shows that there was jsessionid in the request that Firefox sent. b) The page that is shown after the test. I tried to refresh it. It worked, but it ended up with 2 jsessionid parameters in the URL (as displayed in the address bar). Steps to reproduce for b): 1. Go to http://localhost:8080/test-form-auth/protected;jsessionid=84C65A4F88EFC446C0DADAC649BD53BE 2. Login form is displayed (as expected). Log in. 3. After logging in the test page is displayed (as expected), but somehow the address bar shows 2 jsessionid path parameters in the URL: http://localhost:8080/test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C;jsessionid=9DB72687A728F05162C1C3D1B7E94F90 Reproducible both with Firefox 17 and IE 8. Firebug shows that Location header in the 302 response for the POST request to j_security_check had 2 jsessionid: Location: http://localhost:8080/test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C;jsessionid=9DB72687A728F05162C1C3D1B7E94F90 Access log: 127.0.0.1 - - [21/Dec/2012:21:06:31 +0400] "GET /test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C HTTP/1.1" 200 450 127.0.0.1 - - [21/Dec/2012:21:06:47 +0400] "POST /test-form-auth/j_security_check;jsessionid=9DB72687A728F05162C1C3D1B7E94F90 HTTP/1.1" 302 - 127.0.0.1 - tomcat [21/Dec/2012:21:06:47 +0400] "GET /test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C HTTP/1.1" 200 59 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
