Tomcat create a new session for every request
Solution 1
You can try to analyze the HTTP traffic between your client and your server. Make sure the Cookie header is set correctly in the request and the response.
If using Firefox, you can try to debug with Firebug.
Solution 2
We recently ran into the same issue with an app we were developing. Come to find out, the issue is that Tomcat was modified to help prevent session fixation attacks. By default, a new session id is created on authentication. This started with 6.0.21. Check out the context configuration option 'changeSessionIdOnAuthentication' (tomcat bug/issue is https://issues.apache.org/bugzilla/show_bug.cgi?id=45255).
Solution 3
We ran into the same problem, but when using custom EXTERNALSSO authentication. The solution was to explicitly turn it off in the constructor of our class that inherits from org.apache.catalina.authenticator.AuthenticatorBase
:
super.setChangeSessionIdOnAuthentication(false);
Fabe
Working in software development since 2006 and specialised in solution architecture based on the Microsoft .NET platform. I aim to design better, faster and cheaper solutions based on platforms and to lead development teams to strive for customer satisfaction.
Updated on June 08, 2022Comments
-
Fabe almost 2 years
I am working on this problem for 2 days now and I am hoping that anyone here had a similar problem and a solution for that.
The problem: It's a Spring MVC (2.5.6.) Web Application, which runs in Tomcat 6. When the start page is requested it redirects the customer to a JSP Page (by using HTML's meta refresh tags) which loads it's content with a lot of Ajax requests (Framework: Prototype). The problem is that Tomcat creates a new session for every AJAX requests (about 67 sessions). My first thought was that the Session Cookie is stored after the start page is loaded and the Ajax requests forces the Tomcat to create a new session. My approach was to create the session cookie by hand, but this did not make any difference. The funny thing is that it works in some other tomcat instances, but not in the desired environment for the integration tests. In my opinion it's a Tomcat configuration issue.
After further investigation with Firebug, I found out that Tomcat creates a new Session for every request even if the right JSESSIONID is transfered to it (50B5EA0BCFE811C744CE9C1F9EDE0097):
Request Header 1: Cookie JSESSIONID=F3206CBF2C961E125821FF22FA31A02D Response Header 1: Set-Cookie JSESSIONID=49E000B4D6880F4F94531AB9C78DB667; Path=/JOCA-Music-Portal JSESSIONID=50B5EA0BCFE811C744CE9C1F9EDE0097; Path=/JOCA-Music-Portal Request Header 2: Cookie JSESSIONID=50B5EA0BCFE811C744CE9C1F9EDE0097 Response Header 2: Set-Cookie JSESSIONID=DCCA2D1B98D11223A6B8855800276E27; Path=/JOCA-Music-Portal
UPDATE: Further investigation isolated the problem to the Tomcat Realm configuration. We use a JDBC Realm for login. When the login is deativated, only one Session is created. If it's activated, Tomcat creates invalidated/expired sessions, that's why a new session is created with each request. But why does Tomcat behave like this?
I'm really desperate, so any thought/hint/solution is well appreciated.
Thank you very much
-
Fabe over 13 yearsFirst of all thank you very much for your answer. The cookie header is setted correctly, i checked with Firebug. I forgot to mention that in some other environments it worked without any problem, but not in the integration test environments.
-
gawi over 13 yearsIs there
cookies=false
in your<context>
section of your Tomcat config? What is the value ofuseHttpOnly
? -
Fabe over 13 yearsNo i did not define any context section in /META-INF/context.xml so cookies and useHttpOnly is not set. Should i define a context.xml?
-
gawi over 13 yearsI don't think it's necessary. According to documentation tomcat.apache.org/tomcat-6.0-doc/config/context.html you should be OK with default values. Maybe the values have changed from their default in server.xml. The behaviour you are describing sounds like
useHttpOnly
is set totrue
in some config file (with Tomcat, you can set this info at so many places, see aforementioned doc) -
Fabe over 13 yearsOk thank you very much for your support, i will define a context.xml explicitly setting useHttpOnly to false and post the results here.
-
Fabe over 13 yearsuseHttpOnly is never set in Tomcat, but I try to explicitly set it right now. Also i have found out that, every AJAX_Requests creates a new SessionCookie - I added the details above.
-
Fabe over 13 yearsI also was wrong - the session does not stay the same - it is created new with every request.
-
Fabe over 13 yearsI setted useHttpOnly explicitly to false in Tomcat's context.xml - it made no difference ;(
-
gawi over 13 yearsYou have the same behaviour for all kind of browsers?
-
Fabe over 13 yearsYes i tested it with FF and IE 8 - I found out that, this behaviour only occurs, when I am using Tomcat's Realm Feature with Basic Authentification. THank you for your help - this problem really drives me crazy...
-
Fabe about 13 yearsThank you very much! - I will check it out ;)