Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
and ran into a strange issue. I cannot get an http session to "stick"
when using Internet Explorer. A new session gets created every time you
load the test page in IE only. I have verified this issue on IE 6, IE
8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
to get a session to stick, but in IE itcreates a new one for each
request. This does NOT happen when running Tomcat 7 on Windows. Thanks
very much for your help!
My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>
Test URL (broken) on Tomcat 7:
http://www.tigernet.com:8180/t/test/sessiontest.jsp
Test URL (working) on Tomcat 6
http://www.tigernet.com/t/test/sessiontest.jsp
Old Bug possibly related?
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
--Brian.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[Tomcat-users] Unable to store a session with Tomcat 7 linux and Internet Explorer
| Tweet |
|
Search Discussions
-
Christopher Schultz at Feb 4, 2011 at 10:22 pm ⇧ 
Brian,On 2/4/2011 5:02 PM, Brian Cross wrote:Simple initial observations show that the cookie returned by Tomcat 7
Test URL (broken) on Tomcat 7:
http://www.tigernet.com:8180/t/test/sessiontest.jsp
Test URL (working) on Tomcat 6
http://www.tigernet.com/t/test/sessiontest.jsp
has the "Version:1" and "HttpOnly" options set.Old Bug possibly related?Looks related -- at least the original post.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
I wonder which options trips-up MSIE. Can you do some tests with cookies
explicitly setting the version and httponly options and see which ones
make MSIE choke?
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Caldarale, Charles R at Feb 4, 2011 at 10:36 pm ⇧
So a few quick things to try:From: Christopher Schultz
Subject: Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
Simple initial observations show that the cookie returned by Tomcat 7
has the "Version:1" and "HttpOnly" options set.
1) Set the useHttpOnly attribute to false in the <Context> of interest.
2) Set the system property org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0 to false.
3) Set the system property org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY to false (which is actually the default).
Also, if org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set to true, try turning it off.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-
Mark Thomas at Feb 4, 2011 at 10:35 pm ⇧
Sort of.On 04/02/2011 22:02, Brian Cross wrote:
Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
and ran into a strange issue. I cannot get an http session to "stick"
when using Internet Explorer. A new session gets created every time you
load the test page in IE only. I have verified this issue on IE 6, IE
8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
to get a session to stick, but in IE itcreates a new one for each
request. This does NOT happen when running Tomcat 7 on Windows. Thanks
very much for your help!
My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>
Test URL (broken) on Tomcat 7:
http://www.tigernet.com:8180/t/test/sessiontest.jsp
Test URL (working) on Tomcat 6
http://www.tigernet.com/t/test/sessiontest.jsp
Old Bug possibly related?
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
Tomcat 7 is stricter in enforcing various specifications including the
cookie specification which states that / is not allowed in a cookie
value unquoted. Unfortunately / gets used a lot in cookies in the path
and if correctly quoted - i.e. path="/..." - IE chokes. Not exactly a
surprise considering just how badly IE adheres to the cookie specs. To
avoid exactly the issue you are seeing, Tomcat 7 does not enforce this
part of the specification by default.
I suggest a careful read of the following Tomcat 7 docs
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html with
particular reference to
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR and
org.apache.catalina. STRICT_SERVLET_COMPLIANCE. My guess is that you
have set one or other of these to true.
I usually run Tomcat with the following:
org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Brian Cross at Feb 5, 2011 at 1:34 am ⇧
Thanks very much Chris, Chuck, and Mark. I did indeed have
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
I remember setting that a long time ago to fix a problem, but I can't remember what it was.
I added org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
as Mark suggested, and that fixed it right up. Thanks again.
--Brian.On 2/4/2011 5:35 PM, Mark Thomas wrote:---------------------------------------------------------------------On 04/02/2011 22:02, Brian Cross wrote:Sort of.
Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
and ran into a strange issue. I cannot get an http session to "stick"
when using Internet Explorer. A new session gets created every time you
load the test page in IE only. I have verified this issue on IE 6, IE
8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
to get a session to stick, but in IE itcreates a new one for each
request. This does NOT happen when running Tomcat 7 on Windows. Thanks
very much for your help!
My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>
Test URL (broken) on Tomcat 7:
http://www.tigernet.com:8180/t/test/sessiontest.jsp
Test URL (working) on Tomcat 6
http://www.tigernet.com/t/test/sessiontest.jsp
Old Bug possibly related?
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
Tomcat 7 is stricter in enforcing various specifications including the
cookie specification which states that / is not allowed in a cookie
value unquoted. Unfortunately / gets used a lot in cookies in the path
and if correctly quoted - i.e. path="/..." - IE chokes. Not exactly a
surprise considering just how badly IE adheres to the cookie specs. To
avoid exactly the issue you are seeing, Tomcat 7 does not enforce this
part of the specification by default.
I suggest a careful read of the following Tomcat 7 docs
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html with
particular reference to
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR and
org.apache.catalina. STRICT_SERVLET_COMPLIANCE. My guess is that you
have set one or other of these to true.
I usually run Tomcat with the following:
org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Christopher Schultz at Feb 8, 2011 at 6:07 pm ⇧
Brian,On 2/4/2011 8:33 PM, Brian Cross wrote:So, correct me if I'm wrong, but setting STRICT_SERVLET_COMPLIANCE=true
Thanks very much Chris, Chuck, and Mark. I did indeed have
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
I remember setting that a long time ago to fix a problem, but I can't
remember what it was.
I added
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
as Mark suggested, and that fixed it right up. Thanks again.
makes sessions break in all versions of MSIE. Do I have that right?
If that's the case, we might want to have a warning about it near the
explanation of what that flag does. The docs for FWD_SLASH_IS_SEPARATOR
*do* say something, but I think it's worth adding to the docs for
STRICT_SERVLET_COMPLIANCE.
Thanks,
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Mark Thomas at Feb 8, 2011 at 7:52 pm ⇧
Did you read the docs? It already does say that.On 08/02/2011 18:06, Christopher Schultz wrote:
Brian,On 2/4/2011 8:33 PM, Brian Cross wrote:So, correct me if I'm wrong, but setting STRICT_SERVLET_COMPLIANCE=true
Thanks very much Chris, Chuck, and Mark. I did indeed have
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
I remember setting that a long time ago to fix a problem, but I can't
remember what it was.
I added
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
as Mark suggested, and that fixed it right up. Thanks again.
makes sessions break in all versions of MSIE. Do I have that right?
As far as I am aware, yes.
If that's the case, we might want to have a warning about it near the
explanation of what that flag does. The docs for FWD_SLASH_IS_SEPARATOR
*do* say something, but I think it's worth adding to the docs for
STRICT_SERVLET_COMPLIANCE.
And before you say you were looking at the Tomcat 6 docs, the above
discussion only applies to Tomcat 7.
Finally, you are committer and all the docs are commit-then-review. If
you have improvements just commit them.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Christopher Schultz at Feb 8, 2011 at 8:51 pm ⇧
Mark,On 2/8/2011 2:51 PM, Mark Thomas wrote:Yes, but I find it makes sense to discuss these things before just doing
Finally, you are committer and all the docs are commit-then-review. If
you have improvements just commit them.
them. CTR is only so useful :)
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Related Discussions
Discussion Navigation
| view | thread | post |
Discussion Overview
| group | users
 |
| categories | tomcat |
| posted | Feb 4, '11 at 10:03p |
| active | Feb 8, '11 at 8:51p |
| posts | 8 |
| users | 4 |
| website | tomcat.apache.org |
| irc | #tomcat |
4 users in discussion
