Skip to main content
W
WebPexDev
Inspiring
May 4, 2011
Question

Problems with jsessionid and Internet Explorer

  • May 4, 2011
  • 1 reply
  • 8414 views

We are running on CF9.0.1, Java 1.6.0_25, and Win2003 Server. Our application uses J2EE sessions instead of Coldfusion session management.

Apparently, IE (6 through 9) has a problem where it can confuse the domain and sub domain of a cookie or session.

Here is the problem:

  • A user logs into a session at domain.org (not www.domain.org).  This  user gets a session cookie which (surprise!) can be read by any  subdomain of domain.org.
  • The same user links to a second application at subdomain.domain.org.
  • The user logs in, thus setting a second session cookie. This login will work!
  • But trouble is just ahead; the moment the user browses anywhere, the  application may fail. MSIE returns the domain.org session cookie first,  not the subdomain.domain.org cookie.


This was only a very rare issue for years until the last month. Now we get calls about logout on the very first click after logging in to our application

on a daily basis. The problem is exclusivly IE. All other browsers work fine. Typically, a user starts at our homepage at https://www.domain.com which links them to https://secure.domain.com where they login, get to their homepage, and are logged out on the next page request.

We can only randomly reproduce this problem in our office. It is very intermittent and requires some perfect storm of links and redirects which we cannot replicate. But, when it does happen, we are able to view the headers using Fiddler and can verify this is the problem. Somehow, IE gets into a state where where it is sending two jsessionid values in the header:

...

Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=8430bacbee6307aa542a5a92c50611b5d140;JSESSIONID=8430ba6416114e4ea58e76274a155064751e

...

The first jsessionid is from the first subdomain and is not valid at the second subdomain. The second jsessionid is the valid one from the second subdomain.

When a session is created a Set-Cookie header like this is sent:

Set-Cookie: JSESSIONID=8430bacbee6307aa542a5a92c50611b5d140;path=/

Now what should happen is IE should be able to assign that session cookie to the domain it came from and only send it back with requests from that

same domain. But its not. For some reason, sometimes is sends all jsesssion cookies from the top level domain (.domain.com) with all requests

hence the two values in the header.

JRun apparently does not know how to deal with this. Other servelet containers (like Tomcat) will look at the first jsessionid see it is invalid and keep trying until it finds a valid session id or runs out of values. JRun tries the first one it finds, sees its invalid, and sends a new session id back with the response. This causes the browser to update the second jsession id while the first remains static and it continues in this loop indefinetly until all cookies are deleted and only a single jsessionid is set at the proper domain.

In CF9, the domain attribute was added to cfcookie where you can explicilty define the domain as well as the path the cookie is good for.

There is no such option when the jsessionid is created. There is a configuration variable for cookie-domain in the jrun-web.xml file but that would

hardcode it for all cookies on the server and our app runs under www and secure for three different domains on each box.

I have tried setting the jsessionid with an explicit header directive using <cfheader> like this:

<!--- create the header value --->
<cfheader name="Set-Cookie" value= "JSESSIONID=#SESSION.SessionID#;domain=.#CGI.SERVER_NAME#;path=/">

in the onSessionStart() method but it just causes two Set-Cookie headers to be sent:

Set-Cookie: JSESSIONID=8430bacbee6307aa542a5a92c50611b5d140;domain=.domain.com;path=/
Set-Cookie: JSESSIONID=8430bacbee6307aa542a5a92c50611b5d140;path=/

There also is no way I've found to programmatically delete both jsessionids as the browser does work properly in that it only deletes the cookie from the domain of the response. It still continues to send the old jsessionid from the first subdomain with each subsequent request. The only solution is to manually delete cookies from the browser and restart it.

    This topic has been closed for replies.

    1 reply

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    May 5, 2011

    If you're running Enterprise multiserver, you can solve this by creating different CF instances, then configuring jrun-web.xml individually for each. You might also be able to solve this by using a postprocessing servlet filter written in Java. Both of those are kind of complex ways to solve a simple problem, though.

    Dave Watts, CTO, Fig Leaf Software

    http://www.figleaf.com/

    http://training.figleaf.com/

    Dave Watts, Eidolon LLC
    W
    WebPexDevAuthor
    Inspiring
    May 6, 2011

    Thanks for the response. I was actually going to go with the servlet filter option. I figured I could write a filter that would strip any duplicate

    cookie values out of the header, write it back, and send it on to jRun

    BUT

    We solved the problem. We actually found how to reproduce the problem consistenly. If the user hits our external site with no subdomain and then clicks the link to login which redirects to our secure login page on a subdomain, bam, two jsessionids in the header and sessions don't hold.

    For example:

    User types in http://mydomain.com

    User clicks the login link

    User is taken to https://secure.mydomain.com

    User logs in

    User is logged out on next click and every login there after until restarting the browser clearing in-memory session variables.

    We solved it by setting up redirects within DNS and IIS to www.mydomain.com for any request to mydomain.com.

    The redirect happens before hitting the jrun container so there is no session or cookie placed.

    Problem solved. This is still a probme exclusivly with IE since FireFox, Chrome, and other browsers handle this situation properly (or at least with causing this problem).

    Thanks for the response.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices