Too many sessions created when running HTTPS port on AIX/Jetty

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Too many sessions created when running HTTPS port on AIX/Jetty

Tom Cates-2
I'm running an HTTPS port using Jetty 5.1.3 on AIX 5.3.  Up until now when running my webapp on windows or solaris machines, my session tracking and use of session objects was working fine.  And this configuration works fine when using http ports.

What seems to happen in the secured port situation is that new sessions are created every time I call request.getSession(), which results in a new session being used by every servlet/JSP and my session objects that I had stored are no longer available when they should be.

Does anyone know anything else I can try to do in this situation to determine the cause of this?  Could the https protocol be throwing off the session-tracking capabilitites of jetty?  I should note that running an HTTPS port on windows or Solaris works fine as well.

Any help/suggestions/ideas would be greatly appreciated..

thanks,
Tom


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Too many sessions created when running HTTPS port on AIX/Jetty

Chris Haynes
Is your session-tracking done by Cookies or by URL re-writing?

If I understand you right, HTTP & HTTPS both work OK on both Windows and Solaris
work OK,
HTTP on AIX works OK, but something goes wrong with HTTPS on AIX.

My money would be on the problem being something to do with the Session Cookies.
Have you turned up the trace level and looked for differences?

Chris Haynes


"Tom Cates" <[hidden email]> asked

I'm running an HTTPS port using Jetty 5.1.3 on AIX 5.3.  Up until now when
running my webapp on windows or solaris machines, my session tracking and use of
session objects was working fine.  And this configuration works fine when using
http ports.

What seems to happen in the secured port situation is that new sessions are
created every time I call request.getSession(), which results in a new session
being used by every servlet/JSP and my session objects that I had stored are no
longer available when they should be.

Does anyone know anything else I can try to do in this situation to determine
the cause of this?  Could the https protocol be throwing off the
session-tracking capabilitites of jetty?  I should note that running an HTTPS
port on windows or Solaris works fine as well.

Any help/suggestions/ideas would be greatly appreciated..

thanks,
Tom





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

RE: Too many sessions created when running HTTPS port on AIX/Jetty

Tom Cates-2
In reply to this post by Tom Cates-2
My session tracking is done by cookies, and come to think of it I did notice that request.getCookies() returned null in this situation.  Yes, something is only wrong with HTTPS on AIX.

Could you advise how to turn up the trace level that you refer to?

thanks,
Tom

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Chris
Haynes
Sent: Friday, August 12, 2005 4:58 AM
To: [hidden email]
Subject: Re: [jetty-discuss] Too many sessions created when running
HTTPS port on AIX/Jetty


Is your session-tracking done by Cookies or by URL re-writing?

If I understand you right, HTTP & HTTPS both work OK on both Windows and Solaris
work OK,
HTTP on AIX works OK, but something goes wrong with HTTPS on AIX.

My money would be on the problem being something to do with the Session Cookies.
Have you turned up the trace level and looked for differences?

Chris Haynes


"Tom Cates" <[hidden email]> asked

I'm running an HTTPS port using Jetty 5.1.3 on AIX 5.3.  Up until now when
running my webapp on windows or solaris machines, my session tracking and use of
session objects was working fine.  And this configuration works fine when using
http ports.

What seems to happen in the secured port situation is that new sessions are
created every time I call request.getSession(), which results in a new session
being used by every servlet/JSP and my session objects that I had stored are no
longer available when they should be.

Does anyone know anything else I can try to do in this situation to determine
the cause of this?  Could the https protocol be throwing off the
session-tracking capabilitites of jetty?  I should note that running an HTTPS
port on windows or Solaris works fine as well.

Any help/suggestions/ideas would be greatly appreciated..

thanks,
Tom





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

RE: Too many sessions created when running HTTPS port on AIX/Jetty

Tom Cates-2
In reply to this post by Tom Cates-2

I've turned on the RequestLog, but that doesnt seem to tell me much.

Is there anyway to turn on tracing that doesnt involve changing how I start jetty?  All the startup params are built into an executable service/file that will be a drag to have to build/deploy for AIX - if there's another way, I'd rather do it.

Anyone have any idea why this particular configuration - HTTPS on AIX - would hose my cookies?


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Chris
Haynes
Sent: Friday, August 12, 2005 4:58 AM
To: [hidden email]
Subject: Re: [jetty-discuss] Too many sessions created when running
HTTPS port on AIX/Jetty


Is your session-tracking done by Cookies or by URL re-writing?

If I understand you right, HTTP & HTTPS both work OK on both Windows and Solaris
work OK,
HTTP on AIX works OK, but something goes wrong with HTTPS on AIX.

My money would be on the problem being something to do with the Session Cookies.
Have you turned up the trace level and looked for differences?

Chris Haynes


"Tom Cates" <[hidden email]> asked

I'm running an HTTPS port using Jetty 5.1.3 on AIX 5.3.  Up until now when
running my webapp on windows or solaris machines, my session tracking and use of
session objects was working fine.  And this configuration works fine when using
http ports.

What seems to happen in the secured port situation is that new sessions are
created every time I call request.getSession(), which results in a new session
being used by every servlet/JSP and my session objects that I had stored are no
longer available when they should be.

Does anyone know anything else I can try to do in this situation to determine
the cause of this?  Could the https protocol be throwing off the
session-tracking capabilitites of jetty?  I should note that running an HTTPS
port on windows or Solaris works fine as well.

Any help/suggestions/ideas would be greatly appreciated..

thanks,
Tom





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Too many sessions created when running HTTPS port on AIX/Jetty

Chris Haynes
It's the console log you need. I don't know of any method other than changing
the command line string. I haven't checked, but it is possible that there is an
API somewhere for it - suggest you check the javadocs.

Alternatives: if it were not HTTPS that was involved I'd suggest a
packet-sniffer.... sigh.

Surely you only need a simple test program - a servlet of a dozen lines or so,
to look at what is happening to the cookie.

As to why... are there any (reverse-) proxies involved, or anything else that
might cause a difference between the domain set in the cookie and the domain the
client thinks it is sending to.

Check also the 'path' setting.  Look for any differences in the overall system
configs other than the change in OS.

HTH

Chris Haynes

"Tom Cates" reported:


I've turned on the RequestLog, but that doesnt seem to tell me much.

Is there anyway to turn on tracing that doesnt involve changing how I start
jetty?  All the startup params are built into an executable service/file that
will be a drag to have to build/deploy for AIX - if there's another way, I'd
rather do it.

Anyone have any idea why this particular configuration - HTTPS on AIX - would
hose my cookies?


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Chris
Haynes
Sent: Friday, August 12, 2005 4:58 AM
To: [hidden email]
Subject: Re: [jetty-discuss] Too many sessions created when running
HTTPS port on AIX/Jetty


Is your session-tracking done by Cookies or by URL re-writing?

If I understand you right, HTTP & HTTPS both work OK on both Windows and Solaris
work OK,
HTTP on AIX works OK, but something goes wrong with HTTPS on AIX.

My money would be on the problem being something to do with the Session Cookies.
Have you turned up the trace level and looked for differences?

Chris Haynes


"Tom Cates" <[hidden email]> asked

I'm running an HTTPS port using Jetty 5.1.3 on AIX 5.3.  Up until now when
running my webapp on windows or solaris machines, my session tracking and use of
session objects was working fine.  And this configuration works fine when using
http ports.

What seems to happen in the secured port situation is that new sessions are
created every time I call request.getSession(), which results in a new session
being used by every servlet/JSP and my session objects that I had stored are no
longer available when they should be.

Does anyone know anything else I can try to do in this situation to determine
the cause of this?  Could the https protocol be throwing off the
session-tracking capabilitites of jetty?  I should note that running an HTTPS
port on windows or Solaris works fine as well.

Any help/suggestions/ideas would be greatly appreciated..

thanks,
Tom







-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

RE: Too many sessions created when running HTTPS port on AIX/Jetty

Tom Cates-2
In reply to this post by Tom Cates-2
Thanks, I appreciate the reply and the ideas...

I just recently discovered the reason for the problem.  In a servlet that redirects request to either http or https ports, I was using 'java.net.InetAddress.getLocalHost().getHostName()' to construct the HTTPS URL.  This led to a fully qualified server name, which was different from the originating URL.  And so my cookies/sessions got hosed.

I changed the call to request.getServerName and everythings fine.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Chris
Haynes
Sent: Friday, August 12, 2005 12:47 PM
To: [hidden email]
Subject: Re: [jetty-discuss] Too many sessions created when running
HTTPS port on AIX/Jetty


It's the console log you need. I don't know of any method other than changing
the command line string. I haven't checked, but it is possible that there is an
API somewhere for it - suggest you check the javadocs.

Alternatives: if it were not HTTPS that was involved I'd suggest a
packet-sniffer.... sigh.

Surely you only need a simple test program - a servlet of a dozen lines or so,
to look at what is happening to the cookie.

As to why... are there any (reverse-) proxies involved, or anything else that
might cause a difference between the domain set in the cookie and the domain the
client thinks it is sending to.

Check also the 'path' setting.  Look for any differences in the overall system
configs other than the change in OS.

HTH

Chris Haynes

"Tom Cates" reported:


I've turned on the RequestLog, but that doesnt seem to tell me much.

Is there anyway to turn on tracing that doesnt involve changing how I start
jetty?  All the startup params are built into an executable service/file that
will be a drag to have to build/deploy for AIX - if there's another way, I'd
rather do it.

Anyone have any idea why this particular configuration - HTTPS on AIX - would
hose my cookies?


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Chris
Haynes
Sent: Friday, August 12, 2005 4:58 AM
To: [hidden email]
Subject: Re: [jetty-discuss] Too many sessions created when running
HTTPS port on AIX/Jetty


Is your session-tracking done by Cookies or by URL re-writing?

If I understand you right, HTTP & HTTPS both work OK on both Windows and Solaris
work OK,
HTTP on AIX works OK, but something goes wrong with HTTPS on AIX.

My money would be on the problem being something to do with the Session Cookies.
Have you turned up the trace level and looked for differences?

Chris Haynes


"Tom Cates" <[hidden email]> asked

I'm running an HTTPS port using Jetty 5.1.3 on AIX 5.3.  Up until now when
running my webapp on windows or solaris machines, my session tracking and use of
session objects was working fine.  And this configuration works fine when using
http ports.

What seems to happen in the secured port situation is that new sessions are
created every time I call request.getSession(), which results in a new session
being used by every servlet/JSP and my session objects that I had stored are no
longer available when they should be.

Does anyone know anything else I can try to do in this situation to determine
the cause of this?  Could the https protocol be throwing off the
session-tracking capabilitites of jetty?  I should note that running an HTTPS
port on windows or Solaris works fine as well.

Any help/suggestions/ideas would be greatly appreciated..

thanks,
Tom







-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss