FAQ

[Tomcat-users] Unable to store a session with Tomcat 7 linux and Internet Explorer

Brian Cross
Feb 4, 2011 at 10:03 pm
Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
and ran into a strange issue. I cannot get an http session to "stick"
when using Internet Explorer. A new session gets created every time you
load the test page in IE only. I have verified this issue on IE 6, IE
8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
to get a session to stick, but in IE itcreates a new one for each
request. This does NOT happen when running Tomcat 7 on Windows. Thanks
very much for your help!

My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>

Test URL (broken) on Tomcat 7:
http://www.tigernet.com:8180/t/test/sessiontest.jsp

Test URL (working) on Tomcat 6
http://www.tigernet.com/t/test/sessiontest.jsp

Old Bug possibly related?
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525

--Brian.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
reply

Search Discussions

7 responses

  • Christopher Schultz at Feb 4, 2011 at 10:22 pm
    Brian,
    On 2/4/2011 5:02 PM, Brian Cross wrote:
    Test URL (broken) on Tomcat 7:
    http://www.tigernet.com:8180/t/test/sessiontest.jsp

    Test URL (working) on Tomcat 6
    http://www.tigernet.com/t/test/sessiontest.jsp
    Simple initial observations show that the cookie returned by Tomcat 7
    has the "Version:1" and "HttpOnly" options set.
    Looks related -- at least the original post.

    I wonder which options trips-up MSIE. Can you do some tests with cookies
    explicitly setting the version and httponly options and see which ones
    make MSIE choke?

    - -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Caldarale, Charles R at Feb 4, 2011 at 10:36 pm

    From: Christopher Schultz
    Subject: Re: Unable to store a session with Tomcat 7 linux and Internet Explorer
    Simple initial observations show that the cookie returned by Tomcat 7
    has the "Version:1" and "HttpOnly" options set.
    So a few quick things to try:

    1) Set the useHttpOnly attribute to false in the <Context> of interest.

    2) Set the system property org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0 to false.

    3) Set the system property org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY to false (which is actually the default).

    Also, if org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set to true, try turning it off.

    - Chuck


    THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
  • Mark Thomas at Feb 4, 2011 at 10:35 pm

    On 04/02/2011 22:02, Brian Cross wrote:
    Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
    and ran into a strange issue. I cannot get an http session to "stick"
    when using Internet Explorer. A new session gets created every time you
    load the test page in IE only. I have verified this issue on IE 6, IE
    8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
    to get a session to stick, but in IE itcreates a new one for each
    request. This does NOT happen when running Tomcat 7 on Windows. Thanks
    very much for your help!

    My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>

    Test URL (broken) on Tomcat 7:
    http://www.tigernet.com:8180/t/test/sessiontest.jsp

    Test URL (working) on Tomcat 6
    http://www.tigernet.com/t/test/sessiontest.jsp

    Old Bug possibly related?
    https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
    Sort of.

    Tomcat 7 is stricter in enforcing various specifications including the
    cookie specification which states that / is not allowed in a cookie
    value unquoted. Unfortunately / gets used a lot in cookies in the path
    and if correctly quoted - i.e. path="/..." - IE chokes. Not exactly a
    surprise considering just how badly IE adheres to the cookie specs. To
    avoid exactly the issue you are seeing, Tomcat 7 does not enforce this
    part of the specification by default.

    I suggest a careful read of the following Tomcat 7 docs
    http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html with
    particular reference to
    org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR and
    org.apache.catalina. STRICT_SERVLET_COMPLIANCE. My guess is that you
    have set one or other of these to true.

    I usually run Tomcat with the following:
    org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true
    org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false

    Mark

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Brian Cross at Feb 5, 2011 at 1:34 am
    Thanks very much Chris, Chuck, and Mark. I did indeed have

    org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.

    I remember setting that a long time ago to fix a problem, but I can't remember what it was.

    I added org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false

    as Mark suggested, and that fixed it right up. Thanks again.

    --Brian.
    On 2/4/2011 5:35 PM, Mark Thomas wrote:
    On 04/02/2011 22:02, Brian Cross wrote:
    Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
    and ran into a strange issue. I cannot get an http session to "stick"
    when using Internet Explorer. A new session gets created every time you
    load the test page in IE only. I have verified this issue on IE 6, IE
    8, and IE9 beta. Chrome and Firefox work as expected. I am just trying
    to get a session to stick, but in IE itcreates a new one for each
    request. This does NOT happen when running Tomcat 7 on Windows. Thanks
    very much for your help!

    My test code is just<h3>Session ID =<%=request.getSession().getId()%></h3>

    Test URL (broken) on Tomcat 7:
    http://www.tigernet.com:8180/t/test/sessiontest.jsp

    Test URL (working) on Tomcat 6
    http://www.tigernet.com/t/test/sessiontest.jsp

    Old Bug possibly related?
    https://issues.apache.org/bugzilla/show_bug.cgi?id=49525
    Sort of.

    Tomcat 7 is stricter in enforcing various specifications including the
    cookie specification which states that / is not allowed in a cookie
    value unquoted. Unfortunately / gets used a lot in cookies in the path
    and if correctly quoted - i.e. path="/..." - IE chokes. Not exactly a
    surprise considering just how badly IE adheres to the cookie specs. To
    avoid exactly the issue you are seeing, Tomcat 7 does not enforce this
    part of the specification by default.

    I suggest a careful read of the following Tomcat 7 docs
    http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html with
    particular reference to
    org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR and
    org.apache.catalina. STRICT_SERVLET_COMPLIANCE. My guess is that you
    have set one or other of these to true.

    I usually run Tomcat with the following:
    org.apache.catalina. STRICT_SERVLET_COMPLIANCE=true
    org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false

    Mark

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Feb 8, 2011 at 6:07 pm
    Brian,
    On 2/4/2011 8:33 PM, Brian Cross wrote:
    Thanks very much Chris, Chuck, and Mark. I did indeed have

    org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.

    I remember setting that a long time ago to fix a problem, but I can't
    remember what it was.

    I added
    org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false

    as Mark suggested, and that fixed it right up. Thanks again.
    So, correct me if I'm wrong, but setting STRICT_SERVLET_COMPLIANCE=true
    makes sessions break in all versions of MSIE. Do I have that right?

    If that's the case, we might want to have a warning about it near the
    explanation of what that flag does. The docs for FWD_SLASH_IS_SEPARATOR
    *do* say something, but I think it's worth adding to the docs for
    STRICT_SERVLET_COMPLIANCE.

    Thanks,
    - -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Mark Thomas at Feb 8, 2011 at 7:52 pm

    On 08/02/2011 18:06, Christopher Schultz wrote:
    Brian,
    On 2/4/2011 8:33 PM, Brian Cross wrote:
    Thanks very much Chris, Chuck, and Mark. I did indeed have
    org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
    I remember setting that a long time ago to fix a problem, but I can't
    remember what it was.
    I added
    org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false
    as Mark suggested, and that fixed it right up. Thanks again.
    So, correct me if I'm wrong, but setting STRICT_SERVLET_COMPLIANCE=true
    makes sessions break in all versions of MSIE. Do I have that right?
    As far as I am aware, yes.
    If that's the case, we might want to have a warning about it near the
    explanation of what that flag does. The docs for FWD_SLASH_IS_SEPARATOR
    *do* say something, but I think it's worth adding to the docs for
    STRICT_SERVLET_COMPLIANCE.
    Did you read the docs? It already does say that.

    And before you say you were looking at the Tomcat 6 docs, the above
    discussion only applies to Tomcat 7.

    Finally, you are committer and all the docs are commit-then-review. If
    you have improvements just commit them.

    Mark



    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Feb 8, 2011 at 8:51 pm
    Mark,
    On 2/8/2011 2:51 PM, Mark Thomas wrote:
    Finally, you are committer and all the docs are commit-then-review. If
    you have improvements just commit them.
    Yes, but I find it makes sense to discuss these things before just doing
    them. CTR is only so useful :)

    - -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post