[jboss-jira] [JBoss JIRA] Commented: (JBAS-4235) Session ID lost over "secure" connector
Sergey Zhukov (JIRA)
jira-events at lists.jboss.org
Fri Mar 23 11:21:34 EDT 2007
[ http://jira.jboss.com/jira/browse/JBAS-4235?page=comments#action_12357156 ]
Sergey Zhukov commented on JBAS-4235:
-------------------------------------
I'm sorry, this is behavior by design.
If I do a real HTTPS connection, through Apache+mod_jk everything works Ok too.
Reason:
Session ID stores in client's cookie with "secure" property if Connector configured with secure="true".
But if I do just http:// request, browser doesn't send secure cookies back to the server. So server lose session on every new request.
> Session ID lost over "secure" connector
> ---------------------------------------
>
> Key: JBAS-4235
> URL: http://jira.jboss.com/jira/browse/JBAS-4235
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Clustering, Web (Tomcat) service
> Affects Versions: JBossAS-4.0.5.GA, JBossAS-4.0.3 SP1
> Reporter: Sergey Zhukov
> Assigned To: Brian Stansberry
>
> I'm using AJP or HTTP connector with secure="true" attribute in JBoss cluster environment.
> On every browser's request, my JSP code got new session id (session.getId()).
> Also it affects load balancing with sticky sessions, because every new request goes to another node.
> Try it, by simple index.jsp:
> <%= session.getId() %>
> Deploy it as farm application, open in browser and click refresh several times.
> You'll see new id every time.
> I've tried this with JBoss 4.0.5 with configuration: 'all'.
> NOTE: without secure="true" everything works Ok.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list