44216 – Don't reuse session ID even if emptySessionPath=true

Bug 44216 - Don't reuse session ID even if emptySessionPath=true

Summary: Don't reuse session ID even if emptySessionPath=true

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Tomcat 7
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P2 enhancement with 2 votes (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-01-11 17:43 UTC by Nahor
Modified:	2015-02-05 10:04 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nahor 2008-01-11 17:43:22 UTC

Context:
- I want my webapp to use "nice" URL for a user's homepage (e.g.
"http://server/user") which is then redirected server side to the real URL (e.g.
"http://server/servlet/home?user=user"). This requires to use "emptySessionPath".
- I'm using a load-balancer with two Tomcat servers (say T1 and T2) with sticky
sessions (xxx.t1, yyy.t2, ...).
- Because some http client don't support cookies or are started by another http
client (e.g. progressive video download in Media Player started by clicking in
link in Firefox), some links have the session id in the URL (e.g.
http://server/servlet/stream/yyy.t2/music.mp3).

Broken case:
- The user navigates to the website and get the session "yyy.t2"from T2.
- He then bookmarks a URL with session id in it like the one above.
- The next day, he navigates to the website again and get the session "xxx.t1"
from T1.
- He then selects bookmarked URL.
=> The request is redirected to T2. The session is invalid so a new one is
created. But because of the cookie, the session id is "xxx.t1".

So now we have a session created on T2 with a jvmRoute t1. So the following
requests will be send to T1 instead of T2 with an inconsistent (or even expired)
session.

There should be two independent options:
- emptySessionPath which only change the path of the session cookie but nothing else
- reuseSessionID which will reuse the session id from the cookie if available

Comment 1 Mark Thomas 2011-12-20 20:36:23 UTC

This Tomcat 5 enhancement request has been moved to Tomcat 7 (the latest version) since Tomcat 5 development is limited and focussed on bugs and security issues whereas Tomcat 7 is still seeing new feature development.

Comment 2 Mark Thomas 2015-02-05 10:04:25 UTC

Coming back to this after far too long.

If this request were implemented I don't believe the problem would be solved or, at lease, a new one would be created. Reviewing the borken case assuming the requested option was avaialable and enabled:
- The user navigates to the website and get the session "yyy.t2"from T2.
- He then bookmarks a URL with session id in it like the one above.
- The next day, he navigates to the website again and get the session "xxx.t1"
from T1.
- He then selects bookmarked URL.
=> The request is redirected to T2. The session is invalid so a new one is
created zzz.t2. This overwrites yyy.t2 created at step 1. Any information associated with session yyy.t2 is now lost.

The way to fix this would be to fix the load-balancer so that the node information from the cookie session ID takes precedence over the node information in the URL session ID.