jamesspo
asked on
More than one JSESSIONIDs in a request. Why ?
Hi. This application uses iPlanet 6.5. There is a webserver and appserver.
The application is designed to run in cookieless mode.
When I look at the HTTP and HTTP traffic is see the following lines:
GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-fl
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-36375752152693
You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:
JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,
MY QUESTIONS ARE:
=============
1. Is it possible to have 2 JSESSIONIDS at the same time ?
2. Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3. Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?
Many thanks,
James
The application is designed to run in cookieless mode.
When I look at the HTTP and HTTP traffic is see the following lines:
GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-fl
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-36375752152693
You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:
JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,
MY QUESTIONS ARE:
=============
1. Is it possible to have 2 JSESSIONIDS at the same time ?
2. Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3. Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?
Many thanks,
James
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looking at a GET we can see two sessionsids being seperated by an "&", therefore not being read as valid sessionid, therefore the URL re-writing is creating further sessionids to revalidate the strings.
This is the first time we see duplicate sessionids:
1. GXHC_GX_jst=5a0b0561662d61
2. GXHC_JSESSIONID=2859727027
1a. GXHC_GX_jst=5a0b0561662d61
2a. GXHC_JSESSIONID=2859727027
The question is... have we got 3 or 4 ? The list above is 4 (2 x 2 duplicates) and below we have 3;
1. GXHC_GX_jst=5a0b0561662d61
2. GXHC_JSESSIONID=2859727027
3. GXHC_GX_jst=5a0b0561662d61
Actually we have 3.
This is because the URL re-writer will
Set-Cookie A1=x
Set-Cookie A2=y
Set-Cookie A3=z
results in
A1=x&A2=y&A3=z
if the URL is rewritten with a new value of A2=q the result would be:
A1=x&A3=z&A2=q
So in the applicationX website, the server thinks that there is a new cookie called "GXHC_GX_jst=5a0b0561662d6
So we have 3 cookies:
1. GXHC_GX_jst
2. GXHC_JSESSIONID
and
3. GXHC_GX_jst=5a0b0561662d61
So.... by correctly using & instead of & this does not occur and URL re-writer does not create the third bogus session cookie.
Can I have a refund now !!!
Thx
James