Home
Search
Report
Register
Login
Reminder
Issue
ID:
1365
Reporter:
guido
Status:
New
Resolution:
unresolved
Category:
Orion
Reported Version:
2.0.7
Last seen Version:
2.0.7
Fixed Version:
Platform:
Unspecified/All
OS:
Unspecified/All
Java version:
1.5
Severity:
normal
Visibility:
Public
Summary:
session sharing between http + https AND two context roots fails
Description:
Using two web-site.xml files (http/80 and https/443) with two web-app entries (different root attributes) each with shared="true" breaks session sharing. The generated session Cookie is set to secure even if it was requested via http. The behaviour occurs randomly, restarting orion solves the issue in 50% of the cases.
Removing the shared="true" attribute from one context root in both web-sites solves the problem.
The bug exists at least since 2.0.1
guido
20070411 03:03:46
Modification:
Issue created
guido
20070411 05:27:05
Modification:
Comment added.
Comment:
Correction: removing shared="true" attributes reduces probability that the problem occurs, but does not completely remove the issue. I get something like one in four orion restarts with the cookies set to secure. It does seem a bit strange that this behaviour is not strictly deterministic...
guido
20070412 11:12:05
Modification:
Comment added.
Comment:
Ok, some more research clears this issue a bit. Cookies are set to secure if the first access to the server after startup is via https. All session cookies are set to secure as long as this server runs. If the first access after restart is via http, session cookies are not secure and sessin sharing works.
Current workaround: access the server via http immediately after startup - Obviously not a very good solution...
guido
20070412 06:12:00
Modification:
Severity changed from major to normal
Comment added.
Comment:
And at last we have a real workaround: add load-on-startup="true" to the http version of the web-app. This will have the same effect as an initial access via http, the data structures are initialized correctly and we get no more "secure" cookies.
... setting Severity to "normal" ...
Copyright © 2003 IronFlare AB
