Bug 50633 - Stale cookie value obtained with getCookies() after login/logout/login
Summary: Stale cookie value obtained with getCookies() after login/logout/login
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.30
Hardware: Macintosh All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-21 22:06 UTC by Erik Bruchez
Modified: 2011-01-22 16:51 UTC (History)
1 user (show)



Attachments
WAR to reproduce the issue (1.39 KB, application/octet-stream)
2011-01-21 22:06 UTC, Erik Bruchez
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Bruchez 2011-01-21 22:06:43 UTC
Created attachment 26532 [details]
WAR to reproduce the issue

I attach a simple WAR file to illustrate this. To reproduce, follow these steps. Obviously the cookie ids etc. will be different for you.

- deploy attached cookie-bug.war
- delete JSESSIONID browser cookie for localhost

First round:

- go to http://localhost:8080/cookie-bug/do.jsp
  - no Cookie header is sent by the browser
  - Tomcat forwards to login.jsp
  - Set-Cookie:JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234; Path=/cookie-bug
- enter "tomcat" as password and press Login
- this POSTs to j_security_check
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
- do.jsp: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
  - JSP displays
    - requested: 8E5BD8A089735AEAAC1477F7F2C9A234
    - session id: 8E5BD8A089735AEAAC1477F7F2C9A234
    - cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
- click on logout
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
- you are back to do.jsp
  - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234
  - forwards to login.jsp
  - Set-Cookie: JSESSIONID=A591F1194A99A1AA6CBDAE7511F0BF57; Path=/cookie-bug

So far so good! Now the second round:

- enter "tomcat" as password and press Login
- this POSTs to j_security_check
  - Cookie: JSESSIONID=A591F1194A99A1AA6CBDAE7511F0BF57
- do.jsp:
  - Cookie: JSESSIONID=A591F1194A99A1AA6CBDAE7511F0BF57
  - displays
    - requested: A591F1194A99A1AA6CBDAE7511F0BF57
    - session id: A591F1194A99A1AA6CBDAE7511F0BF57
    - Cookie: JSESSIONID=8E5BD8A089735AEAAC1477F7F2C9A234 => how is this possible?

Everything is fine *except* the Cookie value comes from nowhere!

It looks like there is a stale cookie that somehow got reused.
Comment 1 Konstantin Kolinko 2011-01-22 10:18:19 UTC
> It looks like there is a stale cookie that somehow got reused.

It comes from the request that was cached when you were redirected to the login form. That is by design.

Note, that since 6.0.21 the session id is changed when you successfully pass authentication. This feature is an implementation for bug 45255 and can be turned off in configuration.

More details below.

------------------------------------------------
Note: You are missing the following from your reproduction recipe:
1) The following user has to be added to tomcat-users.xml (it is commented out by default):
  <user username="tomcat" password="tomcat" roles="tomcat"/>

2) In do.jsp the request.getCookies() call can return null, which results in NPE. I replaced the cycle on cookies in do.jsp with the following lines:
<%  Cookie[] cookies = request.getCookies();
  if (cookies == null) {
    out.println("No cookies");
  } else {
    for (Cookie cookie : cookies) out.println(cookie.getName() + "=" + cookie.getValue() + "<br/>");
  }
 %>

I am using Firefox 3.6.13 + Firebug 1.6.1, looking at the "Network" tab in Firebug.

Here is what happens at the end of the First round, when clicking on "logout" link:
-- Request (#1):
GET http://localhost:8080/cookie-bug/logout.jsp
Cookie: JSESSIONID=30D060D22DE3C7F061C0CE5CA54F1B1B
-- Response:
302 Moved Temporarily
Location: http://localhost:8080/cookie-bug/do.jsp
-- Request (#2):
GET http://localhost:8080/cookie-bug/do.jsp
Cookie: JSESSIONID=30D060D22DE3C7F061C0CE5CA54F1B1B
-- Response:
200 OK
Set-Cookie: JSESSIONID=01E55440D4AFC906EEB4B4B7899CD1AF; Path=/cookie-bug
--

The login page is displayed.

I am filling in password and submitting the form.

-- Request (#3):
POST http://localhost:8080/cookie-bug/j_security_check
Cookie: JSESSIONID=01E55440D4AFC906EEB4B4B7899CD1AF
-- Response:
302 Moved Temporarily
Location: http://localhost:8080/cookie-bug/do.jsp
-- Request (#4):
GET http://localhost:8080/cookie-bug/do.jsp
Cookie: JSESSIONID=01E55440D4AFC906EEB4B4B7899CD1AF
-- Response:
200 OK
Set-Cookie: JSESSIONID=8050014652FAB01314FC23D2774143BF; Path=/cookie-bug
--

The page displays:
Requested session id: 8050014652FAB01314FC23D2774143BF
Session id: 8050014652FAB01314FC23D2774143BF
Cookies:
JSESSIONID=30D060D22DE3C7F061C0CE5CA54F1B1B

The explanation:
Tomcat caches the request (#2) with all its headers and cookies and replays it for you when browser resends the request after successful authentication. I.e., when (#4) is received you are not seeing it, but you are seeing data from (#2) instead.

So the session id is new, but the cookie is an old one.

I do not see an issue here. I am closing this as INVALID. Please ask on the users@ list if you have other questions.
Comment 2 Erik Bruchez 2011-01-22 16:51:21 UTC
Konstantin, I appreciate the prompt reply and explanation.