?
Solved

More than one JSESSIONIDs in a request. Why ?

Posted on 2004-10-11
3
Medium Priority
?
320 Views
Last Modified: 2012-06-21
Hi. This application uses iPlanet 6.5. There is a webserver and appserver.

The application is designed to run in cookieless mode.

When I look at the HTTP and HTTP traffic is see the following lines:

GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-3637575215269328760; JSESSIONID=www.applicationX.com-102%253A416a33b8%253Ac883f365a5cf4ab1

You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:

JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,

MY QUESTIONS ARE:
=============
1.  Is it possible to have 2 JSESSIONIDS at the same time ?
2.  Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3.  Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?

Many thanks,

James
0
Comment
Question by:jamesspo
2 Comments
 

Author Comment

by:jamesspo
ID: 12284627
Hi, Overnight I have answered this myself... Hope this helps someone else

Looking at a GET we can see two sessionsids being seperated by an "&", therefore not being read as valid sessionid, therefore the URL re-writing is creating further sessionids to revalidate the strings.
 
This is the first time we see duplicate sessionids:

1.   GXHC_GX_jst=5a0b0561662d6165
2.   GXHC_JSESSIONID=2859727027147568041
1a. GXHC_GX_jst=5a0b0561662d6165
2a. GXHC_JSESSIONID=2859727027147568041

The question is... have we got 3 or 4 ? The list above is 4 (2 x 2 duplicates) and below we have 3;

1. GXHC_GX_jst=5a0b0561662d6165
2. GXHC_JSESSIONID=2859727027147568041
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID=2859727027147568041

Actually we have 3.
 
This is because the URL re-writer will
 
Set-Cookie A1=x
Set-Cookie A2=y
Set-Cookie A3=z
 
results in
 
A1=x&A2=y&A3=z
 
if the URL is rewritten with a new value of A2=q the result would be:
 
A1=x&A3=z&A2=q
 
So in the applicationX website, the server thinks that there is a new cookie called "GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID" and its value is "2859727027147568041"
 
So we have 3 cookies:
 
1. GXHC_GX_jst
2. GXHC_JSESSIONID
 
and
 
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID

So.... by correctly using & instead of & this does not occur and URL re-writer does not create the third bogus session cookie.

Can I have a refund now !!!

Thx

James
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12713725
PAQed with points refunded (150)

modulo
Community Support Moderator
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses
Course of the Month16 days, 23 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question