Uploaded image for project: 'Cayenne'
  1. Cayenne
  2. CAY-1739

Cayenne ROP server resets session on every request if BASIC auth is used

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1B1
    • 3.1B2, 3.2.M1
    • None
    • None

    Description

      Per http://stackoverflow.com/questions/12314857/apache-cayenne-rop-server-no-session-associated-with-request-on-tomcat-7 Tomcat 7 resets HTTP session on every ROP request resulting in a loss of state on the client.

      I reproduced that on Tomcat 7 and Jetty 8. Jetty 6 works correctly.

      Debugging on Jetty shows that if BASIC auth is present, container invalidates the existing session and creates a new one during auth credentials checking phase. So it goes like this:

      1. Connect ... session1 is established
      2. Bootstrap ... session1 cookie is accepted, but session is immediately invalidated and session2 is created
      3. Commit ... Client still sends session1 cookie, while the server expects session2, causing an exception:

      org.apache.cayenne.remote.service.MissingSessionException: [v.3.2M1-SNAPSHOT Sep 10 2012 23:14:19] No session associated with request.
      at org.apache.cayenne.remote.service.BaseRemoteService.processMessage(BaseRemoteService.java:127)

      I wonder if the new servlet spec is specifying this behavior .

      A possible fix is to read the session cookie on the client and reset session ID on every request.

      A hideous workaround for the users is to remove BASIC auth.

      Attachments

        Activity

          People

            andrus Andrus Adamchik
            andrus Andrus Adamchik
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: