search

kazu2012 / persevere-framework

Automatically exported from code.google.com/p/persevere-framework
0 stars 0 forks source link

JSESSIONID conflict between Persevere and Channels causes logout #199

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
When using Persevere with authentication, a JSESSIONID cookie is used to 
maintain the authenticated session.  The Channels servlet also sets a 
JSESSIONID cookie, but with the same domain and path, hence it overwrites 
the Persevere cookie in the browser.  This means that the next GET will 
fail with cause 401-Unauthorized, giving the impression of having been 
logged out.

What steps will reproduce the problem?
1. Enable security in Persevere by creating a user and logging in 
2. A simple browser client that logs on using the User.authenticate 
method, and that also dojox.cometd.RestChannels enabled
3. Clear out all old cookies in the client
4. Login to the client and do one/more GETs to subscribe to classes
5. Change a subscribed class causing an update to be sent to the client.

What version of the product are you using? On what operating system?
Nightly, 1st June

Please provide any additional information below.

Note that this problem is often masked by old cookies in the client, 
giving the impression it works fine.  When you browse to the web-page, if 
the client has an old JSESSIONID cookie, it will pass this to 
both /Channels and /Class/xxx.  Both will accept it and hence not pass a 
cookie to the client.  In this case, both /Channels and the Persevere 
servlet effectively have the same session ID.

If you clear the cookies in the browser, then no cookie will be passed 
to /channels or to Persevere.  The first response from Persevere will 
contain a Set-Cookie:JSESSIONID=xxxx.  The first response from /channels 
(which could be some time later) will also contain a set-cookie with a 
different JSESSIONID, overwriting the Persevere cookie.

Some suggested fixes :-
(a) Does /channels need to send a JSESSIONID at all?
(b) Change the Jetty setup so that /channels uses a different path or 
session name so that they do not conflict
(c) I have a workround in place that discards any JSESSIONID that is 
received in the onprogress function in dojox.cometd.RestChannels.

Original issue reported on code.google.com by pvolkaer...@gmail.com on 8 Jun 2009 at 11:45

GoogleCodeExporter commented 8 years ago

Original comment by kris...@gmail.com on 8 Jun 2009 at 3:29