Jetty

Session cookies broken when SPDY is enabled

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Not A Bug
  • Affects Version/s: 8.1.3
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None
  • Environment:
    Ubuntu 12.06 64-bit
  • Number of attachments :
    0

Description

When SPDY is enabled, session cookies do not get written - Jetty always uses URL rewriting instead (;jsessionid is appended to the URL).

If URL rewriting is disabled (by setting SessionManager.sessionIdPathParameterName to null or "none"), session management is completely broken, i.e. each request causes the creation of a brand new session, and user state cannot be recovered by the servlet.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thomas Becker added a comment -

Hi Ido,

I've tried to reproduce the issue, but setting cookies works just fine for me with spdy. You can try this yourself on https://www.webtide.com which will set a cookie for JSESSIONID:

Content-Type text/html;charset=UTF-8
Expires Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie JSESSIONID=oud4ejzzynstnbxg0zfk667i;Path=/;Secure
X-Firefox-Spdy 1

Also the code within jetty responsible for setting/reading cookies should not be affected by spdy. I say "should" as we know that the devil sits in the details sometimes and I might be wrong.

Could you please try it with https://www.webtide.com and tell us if it works fine for you and give us more details like:

  • What browser/version do you use for the request?
  • Does it work for you when using another browser (try chromium and firefox at least)?
  • Do you have any security/browser setting that prevents setting cookies enabled?

Cheers,
Thomas

Show
Thomas Becker added a comment - Hi Ido, I've tried to reproduce the issue, but setting cookies works just fine for me with spdy. You can try this yourself on https://www.webtide.com which will set a cookie for JSESSIONID: Content-Type text/html;charset=UTF-8 Expires Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie JSESSIONID=oud4ejzzynstnbxg0zfk667i;Path=/;Secure X-Firefox-Spdy 1 Also the code within jetty responsible for setting/reading cookies should not be affected by spdy. I say "should" as we know that the devil sits in the details sometimes and I might be wrong. Could you please try it with https://www.webtide.com and tell us if it works fine for you and give us more details like: What browser/version do you use for the request? Does it work for you when using another browser (try chromium and firefox at least)? Do you have any security/browser setting that prevents setting cookies enabled? Cheers, Thomas
Hide
Permalink
Ido added a comment -

I'm testing on on latest versions of Chrome beta channel (20.0.1132.17) and Firefox release channel (12.0, with SPDY support enabled) in parallel. Webtide.com does indeed seem to work fine on both - the JSESSIONID cookie is being written. However, with our application the bug is present on both browsers (just confirmed). Cookies are enabled for both browsers and not restricted in any way.

I too investigated some of the Jetty source code and found it odd that SPDY should have any effect on session management.

I'm investigating further to see whether there's an underlying issue here that's specific to our app.

Show
Ido added a comment - I'm testing on on latest versions of Chrome beta channel (20.0.1132.17) and Firefox release channel (12.0, with SPDY support enabled) in parallel. Webtide.com does indeed seem to work fine on both - the JSESSIONID cookie is being written. However, with our application the bug is present on both browsers (just confirmed). Cookies are enabled for both browsers and not restricted in any way. I too investigated some of the Jetty source code and found it odd that SPDY should have any effect on session management. I'm investigating further to see whether there's an underlying issue here that's specific to our app.
Hide
Permalink
Thomas Becker added a comment -

Please keep us updated. If you can provide a stripped version of your app that can reproduce the issue, we can do some more investigation on it as well if needed.

Show
Thomas Becker added a comment - Please keep us updated. If you can provide a stripped version of your app that can reproduce the issue, we can do some more investigation on it as well if needed.
Hide
Permalink
Ido added a comment -

This turned out to be a side effect of some other issues. Thanks for your help.

Show
Ido added a comment - This turned out to be a side effect of some other issues. Thanks for your help.

People

  • Assignee:
    Thomas Becker
    Reporter:
    Ido
Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: