Solved

More than one JSESSIONIDs in a request. Why ?

Posted on 2004-10-11
3
305 Views
Last Modified: 2012-06-21
Hi. This application uses iPlanet 6.5. There is a webserver and appserver.

The application is designed to run in cookieless mode.

When I look at the HTTP and HTTP traffic is see the following lines:

GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-3637575215269328760; JSESSIONID=www.applicationX.com-102%253A416a33b8%253Ac883f365a5cf4ab1

You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:

JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,

MY QUESTIONS ARE:
=============
1.  Is it possible to have 2 JSESSIONIDS at the same time ?
2.  Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3.  Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?

Many thanks,

James
0
Comment
Question by:jamesspo
3 Comments
 

Author Comment

by:jamesspo
ID: 12284627
Hi, Overnight I have answered this myself... Hope this helps someone else

Looking at a GET we can see two sessionsids being seperated by an "&", therefore not being read as valid sessionid, therefore the URL re-writing is creating further sessionids to revalidate the strings.
 
This is the first time we see duplicate sessionids:

1.   GXHC_GX_jst=5a0b0561662d6165
2.   GXHC_JSESSIONID=2859727027147568041
1a. GXHC_GX_jst=5a0b0561662d6165
2a. GXHC_JSESSIONID=2859727027147568041

The question is... have we got 3 or 4 ? The list above is 4 (2 x 2 duplicates) and below we have 3;

1. GXHC_GX_jst=5a0b0561662d6165
2. GXHC_JSESSIONID=2859727027147568041
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID=2859727027147568041

Actually we have 3.
 
This is because the URL re-writer will
 
Set-Cookie A1=x
Set-Cookie A2=y
Set-Cookie A3=z
 
results in
 
A1=x&A2=y&A3=z
 
if the URL is rewritten with a new value of A2=q the result would be:
 
A1=x&A3=z&A2=q
 
So in the applicationX website, the server thinks that there is a new cookie called "GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID" and its value is "2859727027147568041"
 
So we have 3 cookies:
 
1. GXHC_GX_jst
2. GXHC_JSESSIONID
 
and
 
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID

So.... by correctly using & instead of & this does not occur and URL re-writer does not create the third bogus session cookie.

Can I have a refund now !!!

Thx

James
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12713725
PAQed with points refunded (150)

modulo
Community Support Moderator
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best practice for a landing page 3 74
ebay seller html tags 2 33
One field not displaying content (ASP Classic) 8 31
Code Manager | Snippits 2 37
Read about why website design really matters in today's demanding market.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question