Solved

More than one JSESSIONIDs in a request. Why ?

Posted on 2004-10-11
3
308 Views
Last Modified: 2012-06-21
Hi. This application uses iPlanet 6.5. There is a webserver and appserver.

The application is designed to run in cookieless mode.

When I look at the HTTP and HTTP traffic is see the following lines:

GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-3637575215269328760; JSESSIONID=www.applicationX.com-102%253A416a33b8%253Ac883f365a5cf4ab1

You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:

JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,

MY QUESTIONS ARE:
=============
1.  Is it possible to have 2 JSESSIONIDS at the same time ?
2.  Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3.  Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?

Many thanks,

James
0
Comment
Question by:jamesspo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:jamesspo
ID: 12284627
Hi, Overnight I have answered this myself... Hope this helps someone else

Looking at a GET we can see two sessionsids being seperated by an "&", therefore not being read as valid sessionid, therefore the URL re-writing is creating further sessionids to revalidate the strings.
 
This is the first time we see duplicate sessionids:

1.   GXHC_GX_jst=5a0b0561662d6165
2.   GXHC_JSESSIONID=2859727027147568041
1a. GXHC_GX_jst=5a0b0561662d6165
2a. GXHC_JSESSIONID=2859727027147568041

The question is... have we got 3 or 4 ? The list above is 4 (2 x 2 duplicates) and below we have 3;

1. GXHC_GX_jst=5a0b0561662d6165
2. GXHC_JSESSIONID=2859727027147568041
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID=2859727027147568041

Actually we have 3.
 
This is because the URL re-writer will
 
Set-Cookie A1=x
Set-Cookie A2=y
Set-Cookie A3=z
 
results in
 
A1=x&A2=y&A3=z
 
if the URL is rewritten with a new value of A2=q the result would be:
 
A1=x&A3=z&A2=q
 
So in the applicationX website, the server thinks that there is a new cookie called "GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID" and its value is "2859727027147568041"
 
So we have 3 cookies:
 
1. GXHC_GX_jst
2. GXHC_JSESSIONID
 
and
 
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID

So.... by correctly using & instead of & this does not occur and URL re-writer does not create the third bogus session cookie.

Can I have a refund now !!!

Thx

James
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12713725
PAQed with points refunded (150)

modulo
Community Support Moderator
0

Featured Post

Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An enjoyable and seamless user experience can go a long way on an eCommerce site. While a cohesive layout and engaging copy play roles in creating a positive user experience, some sites neglect aspects that seem marginal but in actuality prove very …
Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This video teaches users how to migrate an existing Wordpress website to a new domain.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question