?
Solved

More than one JSESSIONIDs in a request. Why ?

Posted on 2004-10-11
3
Medium Priority
?
317 Views
Last Modified: 2012-06-21
Hi. This application uses iPlanet 6.5. There is a webserver and appserver.

The application is designed to run in cookieless mode.

When I look at the HTTP and HTTP traffic is see the following lines:

GET /thePage.jsp?A1=WXYZ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: https://www.applicationX.com/LogonNow.jsp?B1=TokenValue1
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.applicationX.com
Pragma: no-cache
Connection: Close
Cookie: GX_jst=5a0b0572662d6166; JSESSIONID=-3637575215269328760; JSESSIONID=www.applicationX.com-102%253A416a33b8%253Ac883f365a5cf4ab1

You will see that there are TWO JSESSIONIDs. The second one is double URL encoded and when decoded reads:

JSESSIONID=www.applicationX.com-102:416a33b8:c883f365a5cf4ab1,

MY QUESTIONS ARE:
=============
1.  Is it possible to have 2 JSESSIONIDS at the same time ?
2.  Why is one double URL encoded ? Is this iPlanet behaviour or caused by the app developers ?
3.  Have anyone seen 2 x JSESSIONIDs in one request / response loop, and if so, are there any negative implications ?

Many thanks,

James
0
Comment
Question by:jamesspo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:jamesspo
ID: 12284627
Hi, Overnight I have answered this myself... Hope this helps someone else

Looking at a GET we can see two sessionsids being seperated by an "&", therefore not being read as valid sessionid, therefore the URL re-writing is creating further sessionids to revalidate the strings.
 
This is the first time we see duplicate sessionids:

1.   GXHC_GX_jst=5a0b0561662d6165
2.   GXHC_JSESSIONID=2859727027147568041
1a. GXHC_GX_jst=5a0b0561662d6165
2a. GXHC_JSESSIONID=2859727027147568041

The question is... have we got 3 or 4 ? The list above is 4 (2 x 2 duplicates) and below we have 3;

1. GXHC_GX_jst=5a0b0561662d6165
2. GXHC_JSESSIONID=2859727027147568041
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID=2859727027147568041

Actually we have 3.
 
This is because the URL re-writer will
 
Set-Cookie A1=x
Set-Cookie A2=y
Set-Cookie A3=z
 
results in
 
A1=x&A2=y&A3=z
 
if the URL is rewritten with a new value of A2=q the result would be:
 
A1=x&A3=z&A2=q
 
So in the applicationX website, the server thinks that there is a new cookie called "GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID" and its value is "2859727027147568041"
 
So we have 3 cookies:
 
1. GXHC_GX_jst
2. GXHC_JSESSIONID
 
and
 
3. GXHC_GX_jst=5a0b0561662d6165&GXHC_JSESSIONID

So.... by correctly using & instead of & this does not occur and URL re-writer does not create the third bogus session cookie.

Can I have a refund now !!!

Thx

James
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12713725
PAQed with points refunded (150)

modulo
Community Support Moderator
0

Featured Post

WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question