cayenne-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Pasemann (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CAY-1739) Cayenne ROP server resets session on every request if BASIC auth is used
Date Thu, 13 Sep 2012 21:27:07 GMT

    [ https://issues.apache.org/jira/browse/CAY-1739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13455321#comment-13455321
] 

Christian Pasemann commented on CAY-1739:
-----------------------------------------

So i testet this on Tomcat 7.0.30 and 6.0.35. Problem occurs on both. On Jetty 6.1.22 this
issue wont happen.
                
> Cayenne ROP server resets session on every request if BASIC auth is used
> ------------------------------------------------------------------------
>
>                 Key: CAY-1739
>                 URL: https://issues.apache.org/jira/browse/CAY-1739
>             Project: Cayenne
>          Issue Type: Bug
>    Affects Versions: 3.1B1
>            Reporter: Andrus Adamchik
>            Assignee: Andrus Adamchik
>
> Per http://stackoverflow.com/questions/12314857/apache-cayenne-rop-server-no-session-associated-with-request-on-tomcat-7
Tomcat 7 resets HTTP session on every ROP request resulting in a loss of state on the client.

> I reproduced that on Tomcat 7 and Jetty 8. Jetty 6 works correctly. 
> Debugging on Jetty shows that if BASIC auth is present, container invalidates the existing
session and creates a new one during auth credentials checking phase. So it goes like this:
> 1. Connect ... session1 is established
> 2. Bootstrap ... session1 cookie is accepted, but session is immediately invalidated
and session2 is created
> 3. Commit ... Client still sends session1 cookie, while the server expects session2,
causing an exception:
> org.apache.cayenne.remote.service.MissingSessionException: [v.3.2M1-SNAPSHOT Sep 10 2012
23:14:19] No session associated with request.
> 	at org.apache.cayenne.remote.service.BaseRemoteService.processMessage(BaseRemoteService.java:127)
> I wonder if the new servlet spec is specifying this behavior (?).
> A possible fix is to read the session cookie on the client and reset session ID on every
request. 
> A hideous workaround for the users is to remove BASIC auth.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message