?
Solved

More than one JSESSIONIDs in a request. Why ?

Posted on 2004-10-11
3
Medium Priority
?
319 Views
Last Modified: 2012-06-21
Hi. This application uses iPlanet 6.5. There is a webserver and appserver.

The application is designed to run in cookieless mode.

When I look at the HTTP and HTTP traffic is see the following lines:

GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-3637575215269328760; JSESSIONID=www.applicationX.com-102%253A416a33b8%253Ac883f365a5cf4ab1

You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:

JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,

MY QUESTIONS ARE:
=============
1.  Is it possible to have 2 JSESSIONIDS at the same time ?
2.  Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3.  Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?

Many thanks,

James
0
Comment
Question by:jamesspo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:jamesspo
ID: 12284627
Hi, Overnight I have answered this myself... Hope this helps someone else

Looking at a GET we can see two sessionsids being seperated by an "&", therefore not being read as valid sessionid, therefore the URL re-writing is creating further sessionids to revalidate the strings.
 
This is the first time we see duplicate sessionids:

1.   GXHC_GX_jst=5a0b0561662d6165
2.   GXHC_JSESSIONID=2859727027147568041
1a. GXHC_GX_jst=5a0b0561662d6165
2a. GXHC_JSESSIONID=2859727027147568041

The question is... have we got 3 or 4 ? The list above is 4 (2 x 2 duplicates) and below we have 3;

1. GXHC_GX_jst=5a0b0561662d6165
2. GXHC_JSESSIONID=2859727027147568041
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID=2859727027147568041

Actually we have 3.
 
This is because the URL re-writer will
 
Set-Cookie A1=x
Set-Cookie A2=y
Set-Cookie A3=z
 
results in
 
A1=x&A2=y&A3=z
 
if the URL is rewritten with a new value of A2=q the result would be:
 
A1=x&A3=z&A2=q
 
So in the applicationX website, the server thinks that there is a new cookie called "GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID" and its value is "2859727027147568041"
 
So we have 3 cookies:
 
1. GXHC_GX_jst
2. GXHC_JSESSIONID
 
and
 
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID

So.... by correctly using & instead of & this does not occur and URL re-writer does not create the third bogus session cookie.

Can I have a refund now !!!

Thx

James
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12713725
PAQed with points refunded (150)

modulo
Community Support Moderator
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question