Tomcat create a new session for every request

15,272

Solution 1

You can try to analyze the HTTP traffic between your client and your server. Make sure the Cookie header is set correctly in the request and the response.

If using Firefox, you can try to debug with Firebug.

Solution 2

We recently ran into the same issue with an app we were developing. Come to find out, the issue is that Tomcat was modified to help prevent session fixation attacks. By default, a new session id is created on authentication. This started with 6.0.21. Check out the context configuration option 'changeSessionIdOnAuthentication' (tomcat bug/issue is https://issues.apache.org/bugzilla/show_bug.cgi?id=45255).

Solution 3

We ran into the same problem, but when using custom EXTERNALSSO authentication. The solution was to explicitly turn it off in the constructor of our class that inherits from org.apache.catalina.authenticator.AuthenticatorBase:

super.setChangeSessionIdOnAuthentication(false);
Share:
15,272
Fabe
Author by

Fabe

Working in software development since 2006 and specialised in solution architecture based on the Microsoft .NET platform. I aim to design better, faster and cheaper solutions based on platforms and to lead development teams to strive for customer satisfaction.

Updated on June 08, 2022

Comments

  • Fabe
    Fabe almost 2 years

    I am working on this problem for 2 days now and I am hoping that anyone here had a similar problem and a solution for that.

    The problem: It's a Spring MVC (2.5.6.) Web Application, which runs in Tomcat 6. When the start page is requested it redirects the customer to a JSP Page (by using HTML's meta refresh tags) which loads it's content with a lot of Ajax requests (Framework: Prototype). The problem is that Tomcat creates a new session for every AJAX requests (about 67 sessions). My first thought was that the Session Cookie is stored after the start page is loaded and the Ajax requests forces the Tomcat to create a new session. My approach was to create the session cookie by hand, but this did not make any difference. The funny thing is that it works in some other tomcat instances, but not in the desired environment for the integration tests. In my opinion it's a Tomcat configuration issue.

    After further investigation with Firebug, I found out that Tomcat creates a new Session for every request even if the right JSESSIONID is transfered to it (50B5EA0BCFE811C744CE9C1F9EDE0097):

    Request Header 1: 
    Cookie JSESSIONID=F3206CBF2C961E125821FF22FA31A02D
    
    Response Header 1:
    Set-Cookie JSESSIONID=49E000B4D6880F4F94531AB9C78DB667; Path=/JOCA-Music-Portal   JSESSIONID=50B5EA0BCFE811C744CE9C1F9EDE0097; Path=/JOCA-Music-Portal
    
    Request Header 2:
    Cookie JSESSIONID=50B5EA0BCFE811C744CE9C1F9EDE0097
    
    Response Header 2:
    Set-Cookie JSESSIONID=DCCA2D1B98D11223A6B8855800276E27; Path=/JOCA-Music-Portal
    

    UPDATE: Further investigation isolated the problem to the Tomcat Realm configuration. We use a JDBC Realm for login. When the login is deativated, only one Session is created. If it's activated, Tomcat creates invalidated/expired sessions, that's why a new session is created with each request. But why does Tomcat behave like this?

    I'm really desperate, so any thought/hint/solution is well appreciated.

    Thank you very much

  • Fabe
    Fabe over 13 years
    First of all thank you very much for your answer. The cookie header is setted correctly, i checked with Firebug. I forgot to mention that in some other environments it worked without any problem, but not in the integration test environments.
  • gawi
    gawi over 13 years
    Is there cookies=false in your <context> section of your Tomcat config? What is the value of useHttpOnly?
  • Fabe
    Fabe over 13 years
    No i did not define any context section in /META-INF/context.xml so cookies and useHttpOnly is not set. Should i define a context.xml?
  • gawi
    gawi over 13 years
    I don't think it's necessary. According to documentation tomcat.apache.org/tomcat-6.0-doc/config/context.html you should be OK with default values. Maybe the values have changed from their default in server.xml. The behaviour you are describing sounds like useHttpOnly is set to true in some config file (with Tomcat, you can set this info at so many places, see aforementioned doc)
  • Fabe
    Fabe over 13 years
    Ok thank you very much for your support, i will define a context.xml explicitly setting useHttpOnly to false and post the results here.
  • Fabe
    Fabe over 13 years
    useHttpOnly is never set in Tomcat, but I try to explicitly set it right now. Also i have found out that, every AJAX_Requests creates a new SessionCookie - I added the details above.
  • Fabe
    Fabe over 13 years
    I also was wrong - the session does not stay the same - it is created new with every request.
  • Fabe
    Fabe over 13 years
    I setted useHttpOnly explicitly to false in Tomcat's context.xml - it made no difference ;(
  • gawi
    gawi over 13 years
    You have the same behaviour for all kind of browsers?
  • Fabe
    Fabe over 13 years
    Yes i tested it with FF and IE 8 - I found out that, this behaviour only occurs, when I am using Tomcat's Realm Feature with Basic Authentification. THank you for your help - this problem really drives me crazy...
  • Fabe
    Fabe about 13 years
    Thank you very much! - I will check it out ;)