When using Persevere with authentication, a JSESSIONID cookie is used to
maintain the authenticated session. The Channels servlet also sets a
JSESSIONID cookie, but with the same domain and path, hence it overwrites
the Persevere cookie in the browser. This means that the next GET will
fail with cause 401-Unauthorized, giving the impression of having been
logged out.
What steps will reproduce the problem?
1. Enable security in Persevere by creating a user and logging in
2. A simple browser client that logs on using the User.authenticate
method, and that also dojox.cometd.RestChannels enabled
3. Clear out all old cookies in the client
4. Login to the client and do one/more GETs to subscribe to classes
5. Change a subscribed class causing an update to be sent to the client.
What version of the product are you using? On what operating system?
Nightly, 1st June
Please provide any additional information below.
Note that this problem is often masked by old cookies in the client,
giving the impression it works fine. When you browse to the web-page, if
the client has an old JSESSIONID cookie, it will pass this to
both /Channels and /Class/xxx. Both will accept it and hence not pass a
cookie to the client. In this case, both /Channels and the Persevere
servlet effectively have the same session ID.
If you clear the cookies in the browser, then no cookie will be passed
to /channels or to Persevere. The first response from Persevere will
contain a Set-Cookie:JSESSIONID=xxxx. The first response from /channels
(which could be some time later) will also contain a set-cookie with a
different JSESSIONID, overwriting the Persevere cookie.
Some suggested fixes :-
(a) Does /channels need to send a JSESSIONID at all?
(b) Change the Jetty setup so that /channels uses a different path or
session name so that they do not conflict
(c) I have a workround in place that discards any JSESSIONID that is
received in the onprogress function in dojox.cometd.RestChannels.
Original issue reported on code.google.com by pvolkaer...@gmail.com on 8 Jun 2009 at 11:45
Original issue reported on code.google.com by
pvolkaer...@gmail.com
on 8 Jun 2009 at 11:45