I am stuck with a jsession id problem. I am using Tomcat 7, Spring framework 3.1.1, security with Spring Security.
Our application has a login page with an url like : defaultSubdomain.theSite.com/login.html. Some of our users have their own subdomains, so their login page url are : subdomainForUser.theSite.com/login.html.
The problem is, if one of them use the default login url :
he will be log in, an HttpSession will be created on the server and a JSESSIONID cookie will be created on defaultSubdomain.theSite.com on client, then
our server makes the browser redirect to the welcome page of user's subdomain and makes the browser recreate the JSESSIONID cookie with javascript.
In a filter:
//if client is on the wrong subdomain
HttpServletResponse.sendRedirect(url);
return;
But after that, client still needs to log in again. Is there any way to achieve what I try to do (with a coding approach and not configuring tomcat)?
I made some research and we could use
<Context sessionCookieDomain=".theSite.com" sessionCookiePath="/">
but it implies having one configuration for dev, one for test and one for prod which is not acceptable.
Thanks!
Related
The Problem
When redirecting from a servlet using response.sendRedirect(redirect_url);, the JSESSIONID cookie is not passed by the browser to the destination. A new JSESSIONID is created for every redirect, and it is impossible to track the user.
Note: This problem is only occurring on my new server implementing https and a domain name; the session ID is properly tracked when I run the web app locally or on another server without SSL or a domain name. Edit: I have set up another site on my server without SSL, and the issue persists. This seems to narrow the issue down to having a reverse proxy Apache.
An Example
The Login servlet on my web app attempts to store the user information in a session attribute then redirects to the MyCards servlet. I am using a redirect so that the URL will display mydomain.com/MyCards instead of mydomain.com/Login. The MyCards servlet attemtps to access the session attribute but finds nothing, and therefore redirects back to the Login servlet. This worked perfectly before deploying the project on my new server with SSL and domain name.
My Setup
Ubuntu 20.04 on DigitalOcean droplet
Apache Web Server (apache2) ... I have enabled mod_sessions, not sure if that's relevant.
Tomcat 9
Reverse proxy in Apache VirtualHost to Tomcat (I can post my .conf file if requested)
A redirect in Apache VirtualHost from HTTP to HTTPS
JDK 11
Possible Solutions
Using a forward instead of a redirect. The session ID is not lost when using requestDispatcher.forward(request, response);. As I mentioned above, I want the URL to reflect the destination for an intuitive user experience, which does not occur when using a forward.
Implementing your own session cookie, as in this answer, and manually storing sessions with a map, as in this answer, which strongly advises against such a facility. Based on my understanding, doing so poses security threats to user data. Also, if the browser is not passing the JSESSIONID cookie, I don't understand why it would choose to pass the manually implemented cookie unless the SameSite attribute is set to None (also bad).
Verifying that the webapp's context.xml does not have cookies="false" configured. Done that.
Using encoded URLs with response.sendRedirect(response.encodeRedirectURL(url));. Again, for the sake of having a clean URL (which the user could bookmark or type in) is preferable, and encoding the session ID into the URL is not.
Using relative URLs instead of absolute URLs...
"A session is only maintained if the redirection is being sent on the same port, host and webapp [and protocol?]. If redirection is done within the same application, using relative paths is the best practice." I tried both redirect_url = "/MyCards" and redirect_url = "MyCards", no luck.
Possible Reasons
Perhaps I am unknowingly switching between HTTP and HTTPS, which is a change in protocol and will not preserve the session ID. Of course, my intention is to remain secure and stay exclusively in HTTPS. Edit: I have set up another site on my server without SSL, and the issue persists. This seems to narrow the issue down to having a reverse proxy Apache. When accessing the web app directly on Tomcat (i.e. with <server_ip>:8080/MyWebApp), the session is tracked properly on redirect. However when using mydomain.com, the session ID is lost on every redirect.
Something to do with naked domains.
Other?
Edit: Maybe the issue is occurring because of the way the client, Apache, and Tomcat interact via the reverse proxy. Does the proxy cause the domain/port to change on every request/response?
My Questions
Why exactly is the session ID lost when using a redirect to a relative URL to a servlet in the same web app on the same server? Shouldn't the redirect occur entirely on the server-side, preventing a new request/session from being created? Since the relative URLs (which I thought would preserve the session) did not solve the issue, does this indicate some problem with my server setup (e.g. unintentional switching between protocols)?
What is the best practice for maintaining the user session ID, even when the user has cookies disabled? Is there no way around URL encoding when cookies are disabled? Or should the app be implemented exclusively with forwards rather than redirects? If so, is there a workaround to changing the URL to reflect the destination?
Note: this is my first post, so I don't have the reputation to comment. I will edit the post with any needed information.
Grails 2.4.4
Guys, I am working on an grails application and I have a requirement where I have to render pages from same application into different host URL's
For example:
Home page url (pre-login) should be www.mydomain.com
Home page url (post-login) should be home.mydomain.com
Login page url should be login.mydomain.com
Register page url should be register.mydomain.com
and Rest pages url should be inner.mydomain.com
All the above urls are added as an alias in tomcat -> server.xml file and is pointing to same application directory.
I have created a static method which according to controller and action determines and return the host url. I am using this method from grails filter.
I then just replace the old host url with the new generated one and then issue a normal redirect url.
The problem I am facing here is, if the app is not loggedin, than all works well. But when I try to login from host url login.mydomain.com, then spring security creates session only for login.mydomain.com. Session is not created for home.mydomain.com and hence I am not redirected to post-login home.mydomain.com but instead redirected back to pre-login www.mydomain.com
So, can you someone tell me what is the correct way to achieve this. Can I change my host url without effecting my locale, cookies and session? Can Spring security authenticate multiple host at the same time?
Is there any java way to do this?
Any other suggestions?
Please let me know if more inputs are needed
i am setting cookie SPRING_SECURITY_REMEMBER_ME_COOKIE to null when user logs out.
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
above code working fine in my localhost, when i moved to cloud server, the above code doesn't works, it is not removing the cookie while logging off. there is no difference other than domain forwarding.
It may or may not be your case, but there is a similar issue regarding the removal of JSESSIONID cookies. Take a look here:
Spring Security - Session Management
navigating to spring security login page redirects to invalid-session-url
The same thing may be happening to the Remember-Me cookie. Check the 'Set-Cookie' headers when you log out of your system (Firebug is enough for this): if the 'path' does not match the path for the stored cookie (created when accessing the login page), then you may have this issue on your environment. In this case, you could create a custom CookieClearingLogoutHandler to properly clean the cookies.
I have a web application in Tomcat 7 which keeps user information in session as a DTO object. I also have Spring security enabled for my project which automatically redirects a user to a login page if the user does not have a session.
If I log in to my application once and then I restart Tomcat in Eclipse what happens is that my session gets flushed out but the cookie does not go.
What this means is that after server restart there is no UserDto in session but a valid JSESSIONID remains with browser. Thus spring security still thinks that the user is logged in when in fact he's not.
Why is this happening? (I have check the type of JSESSIONID cookie by viewing page info in Firefox it says - Expire: At end of session. Thus it should ideally expire at server restart or shouldn't it?)
Edit: Though Firefox says Expire: At end of session the cookie is still there if I close and restart Firefox.
From Servlet 3.0 to add expire date to a cookie you can add cookie-config to your web.xml file
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<max-age>1800</max-age>
</cookie-config>
</session-config>
The cookie is held in the browser - when the server restarts, but the browser continues to run, it will hold onto the cookie and present this to the server on next request.
Now on the server side, you have multiple options: You can configure tomcat's SessionManager to persist on disk and read the content upon restart - this is an option that also is used to distribute sessions between multiple tomcats in a cluster: When the session is serialized to disk, any server can continue the session by "just" deserializing it. There's some cost implied (as you constantly need to serialize sessions)
Currently I can't give you more concrete hints than this - but if you look it up and understand the difference between where the cookie is stored, why it doesn't change on server restart and that you'll have to look up tomcat documentation of the session manager, you'll hopefully manage to figure it out.
Tomcat will generate a JSESSIONID automatically if you have used session in you web project.
If the session id changed then the JSESSIONID will changed corresponds. Because
the JSESSIONID indicates the seesion ID of the WEB project.
It will expire when the server stop(in default it will expire within 30 minutes), but the cookie cannot delete automatically.
JSESSIONID can configs in server.xml file of tomcat.
While you log in succesfully, SpringSecurity stores a cookie in your browser.
When the browser sends a request, SpringSecurity checks what's in the cookie. If SpringSecurity finds the value it stored before, it thinks you have logged in, so SpringSecurity won't redirect to the login page.
Is it possible to keep the same jsessionid on 2 differents url in the same domain?
Example :
I'm on the home page of my site (http://MyProject.com). When I click on a button, I'm redirected to "http://param.MyProject.com". At the moment, the browser doesn't send the current jsessionid and the server creates a new one but I would like to keep the same.
The consequence is that when the url changes from MyProject.com to param.MyProject.com, I loose my HttpSession and I'm logged out.
I use tomcat 7 and Chrome or Firefox.
Thanks for your answers.
It really depends on the "domain name" set for the Cookie.
A Cookie set for www.myproject.com will not work with param.myproject.com, but if the cookie is set for myproject.com, it will work for myproject.com and all sub-domains of myproject.com
You can configure the cookie domain for tomcat by modifying META-INF/context.xml as below:
<Context sessionCookiePath="/" sessionCookieDomain=".myproject.com" />