Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1834
  • Last Modified:

Problem with jsessionid on Tomcat 5.0 while using JSF

Hi All,

I am using JSF as a development framework for my web application. I am using Tomcat 5.0 as my web server.

I have following code in unauthrized.jsf page

<HTML>
      <%@ taglib uri="http://java.sun.com/jsf/core" prefix="f" %>
      <%@ taglib uri="http://java.sun.com/jsf/html" prefix="h" %>
      
        <HEAD>
            <TITLE> QJet - UnAuthorized Page </TITLE>
            </HEAD>

      <f:view>            
            <h:form>
                  <h:outputText id="organization-error" value="You are not Authorized to access the this Application.  Please contact the" />
                  <h:outputLink value="mailto:njet.admin@ntc.com">
                  <h:outputText value="Aviation Team" />
                  </h:outputLink>
                  <h:outputText value=" if you have any questions." />
            </h:form>
      </f:view>
</HTML>

As per my programming logi, when unauthorised person tries to access my application then he gets redirected to this page. If user clicks on this "Acitation Team" link, new mail opens with proper "njet.admin@ntc.com" address in "To: " textbox.
If user closes this new mail and copy the url from browser of this unauthorized.jsf page and closes the browser. Now if user opens a new browser and pests the url of unauthorized.jsp page, he is still see this message of "Avitation Team", but this time if he clicks on this "Avitation Team" link the new mail opens with weired emailid in "To :" box is  "njet.admin@ntc.com ;jsessionid=12346fdf32323sdsd34".

I can't undestand that why this address get changed and adds jessionid? Does the tomcat server maintains this session for previously logged in user? Is it a part of JSF framework?
Anybody has any suggestion then please let me know.

Thanks in advance!
0
jas123
Asked:
jas123
  • 3
  • 2
1 Solution
 
bloodredsunCommented:
outputLink is used for rendering anchor tags <a>. One of it's abilities is for URL rewriting when session tracking by cookies is not enabled, just as th c:url tag does in JSTL. See here: http://216.239.59.104/search?q=cache:1YhtpzR80k8J:www.manning-source.com/books/mann/mann_chp4.pdf+outputLink+url+rewriting&hl=en&client=firefox-a

>> Does the tomcat server maintains this session for previously logged in user?
Depends on session time-out and whether you closed the browser completely.

>> Is it a part of JSF framework?
Which bit of the above
0
 
rrzCommented:
I agree with bloodredsun's comments.  
> Now if user opens a new browser  
So, let's assume that now  session.isNew()  returns true.
In this case JSF doesn't know if client uses cookies yet. So it always sends the id in the first response.              rrz
0
 
bloodredsunCommented:
>>So it always sends the id in the first response.

Shouldn't the request from the browser have a header telling the server that the browser accepts cookies? I suspect this may be an idiosyncrasy of JSF...
0
 
rrzCommented:
>Shouldn't the request from the browser have a header telling the server that the browser accepts cookies?      
Maybe it should, but I don't think that it does(based on my google).         rrz
0
 
rrzCommented:
I think I should get a few points here.     rrz
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now