Double JSESSIONID in cookie.

掲示板

13年前に Emmanuel Guiton によって更新されました。

Double JSESSIONID in cookie.

Junior Member 投稿: 39 参加年月日: 10/12/03 最新の投稿

Hello all,

In a custom portlet, I perform certain operations based on the user's session id (basically storing and retrieving data using the session id to index these data).

The session id is retrieved using both the javax.portlet.RenderRequest class

final RenderRequest renderRequest
[...]
renderRequest.getPortletSession().getId();

And the javax.servlet.http.HttpServletRequest class

final HttpServletRequest request;
[...]
final String sessionId = request.getSession().getId();

From time to time, we encounter a strange behavior, where, for a single session, the data is stored with a session id and attempt to retrieve it use a different session id. Of course the data are not retrieved.

We noticed that this problem is linked with the cookie stored in the user's browser. This is a sample cookie when the problem occurs :

JSESSIONID=B57F83D8F8B41BCF9757A419555AC3F1; utma=161478629.801944786918299400.1244451229.1293724873.1296503095.8; LOGIN=6c677240696e74c2696e7365d32e636f6d; SCREEN_NAME=6735485a2f2f6441415369726c30696b7379674b715a526e2f376c684852366e; GUEST_LANGUAGE_ID=fr_FR; COOKIE_SUPPORT=true; PASSWORD=733756c8622b37733036673d; ID=54726770573573434437453d; COMPANY_ID=10131; utmc=161478629; LFR_SESSION_STATE_12021=1303294549117; JSESSIONID=614A3AB27C9579BF1F5271B501BCECF6

One can notice two different JSESSIONID. These are the 2 different session ids that appear in our portlet.

Has anyone insights on why these 2 session ids coexist ?
Is this a normal behavior ?
How can we get for sure a unique session id ?

Thanks for any help,
- emmanuel

7年前に Vivek Nadar によって更新されました。

RE: Double JSESSIONID in cookie.

New Member 投稿: 1 参加年月日: 15/02/13 最新の投稿

Hi Emmanuel,

Did you find a solution for the above issue?

Thanks,

7年前に Olaf Kock によって更新されました。

RE: Double JSESSIONID in cookie.

Liferay Legend 投稿: 6403 参加年月日: 08/09/23 最新の投稿

I'm assuming that this could happen if some other application explicitly sets cookies for *.example.com (note the wildcard, might be that .example.com is the cookie lingo. SSO systems are candidate for this. Or you are handling a request in another webapplication (that would rather be a servlet request than a portlet request). The portal gets the cookies to /* while a servlet in a plugin web application might get another one to /my-portlet/*

That being said, I'd recommend not to rely on reading the session id manually. Technically it's an implementation detail of the appserver. You might want to use the session object, but the ID is not even guaranteed to be identical for the whole session. In fact, it is deliberately changed once someone logs in - to mitigate session fixation attacks.