Wookie
  1. Wookie
  2. WOOKIE-222

"Session Error" dialog for each widget appears in tomcat 7 (using the WAR build)

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.0
    • Fix Version/s: 0.9.1
    • Component/s: Server
    • Labels:
      None
    • Environment:
      Winows 7 sp1 64 all browsers, tomcat 7.0.16

      Description

      Opening a widget in the gallery - causes a "Session Error" browser dialog to be displayed for each widget on the page during loading, repeated after a page refresh (as reported by Ate in WOOKIE-181). Seems there is a problem in the engine.js section of dwr. Doesn't appear to happen in tomcat 6*.

      Moving this as a top level issue as it was a little hidden.

        Issue Links

          Activity

          Paul Sharples created issue -
          Hide
          Paul Sharples added a comment -

          More information / possible workarounds found here

          https://tickets.openmrs.org/browse/TRUNK-1738

          Show
          Paul Sharples added a comment - More information / possible workarounds found here https://tickets.openmrs.org/browse/TRUNK-1738
          Hide
          Paul Sharples added a comment -

          I can confirm that adding the following to the web.xml file stops the error appearing in tomcat 7...

          <init-param>
          <param-name>crossDomainSessionSecurity</param-name>
          <param-value>false</param-value>
          </init-param>

          The warning is that it may open CSRF attacks, according to the above link. Should we just add a note to the Known issues of RELEASE_NOTES? (as we are hoping to replace dwr very soon anyway?)

          Show
          Paul Sharples added a comment - I can confirm that adding the following to the web.xml file stops the error appearing in tomcat 7... <init-param> <param-name>crossDomainSessionSecurity</param-name> <param-value>false</param-value> </init-param> The warning is that it may open CSRF attacks, according to the above link. Should we just add a note to the Known issues of RELEASE_NOTES? (as we are hoping to replace dwr very soon anyway?)
          Hide
          Scott Wilson added a comment -

          I think adding a note to Known Issues along with this workaround would cover it. Hopefully we can fix this in the next release.

          Show
          Scott Wilson added a comment - I think adding a note to Known Issues along with this workaround would cover it. Hopefully we can fix this in the next release.
          Paul Sharples made changes -
          Field Original Value New Value
          Fix Version/s 0.9.1 [ 12315418 ]
          Fix Version/s 0.9.0 [ 12315417 ]
          Scott Wilson made changes -
          Status Ready To Review [ 10006 ] Open [ 1 ]
          Assignee Paul Sharples [ psharples ]
          Hide
          Scott Wilson added a comment -

          Another workaround is to set useHttpOnly="false" in Tomcat:

          https://tickets.openmrs.org/browse/TRUNK-1874

          Show
          Scott Wilson added a comment - Another workaround is to set useHttpOnly="false" in Tomcat: https://tickets.openmrs.org/browse/TRUNK-1874
          Hide
          Scott Wilson added a comment -

          Apparently the issue was also fixed in DWR 3.0RC2:

          http://bugs.directwebremoting.org/bugs/browse/DWR-26

          Show
          Scott Wilson added a comment - Apparently the issue was also fixed in DWR 3.0RC2: http://bugs.directwebremoting.org/bugs/browse/DWR-26
          Hide
          Scott Wilson added a comment -

          OK how about this for a resolution:

          • For 0.9.1 Add an entry to the FAQ and README "known issues", and describe the Tomcat workaround disabling HTTP-only cookies
          • For 0.9.2 create a task to either update to DWR3.0, or replace with another framework (e.g. Atmosphere)
          Show
          Scott Wilson added a comment - OK how about this for a resolution: For 0.9.1 Add an entry to the FAQ and README "known issues", and describe the Tomcat workaround disabling HTTP-only cookies For 0.9.2 create a task to either update to DWR3.0, or replace with another framework (e.g. Atmosphere)
          Hide
          Paul Sharples added a comment -

          Sounds good to me

          Show
          Paul Sharples added a comment - Sounds good to me
          Hide
          Scott Wilson added a comment -

          More info here for reference:

          http://www.tomcatexpert.com/blog/2011/01/26/cross-site-scripting-xss-prevention-tomcat-7

          I think its safer to turn off DWR's xss mechanism and leave on Tomcat 7's as there seems to be an issue with DWR's XSS detection and the two are in conflict.

          Show
          Scott Wilson added a comment - More info here for reference: http://www.tomcatexpert.com/blog/2011/01/26/cross-site-scripting-xss-prevention-tomcat-7 I think its safer to turn off DWR's xss mechanism and leave on Tomcat 7's as there seems to be an issue with DWR's XSS detection and the two are in conflict.
          Scott Wilson made changes -
          Link This issue is superceded by WOOKIE-238 [ WOOKIE-238 ]
          Hide
          Scott Wilson added a comment -

          Added to release notes for 0.9.1 and created WOOKIE-238 for future fix

          Show
          Scott Wilson added a comment - Added to release notes for 0.9.1 and created WOOKIE-238 for future fix
          Scott Wilson made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Hide
          Paul Sharples added a comment -

          verified - workaround documented in RELEASE_NOTES. The outstanding issue here now form part of WOOKIE-238

          Show
          Paul Sharples added a comment - verified - workaround documented in RELEASE_NOTES. The outstanding issue here now form part of WOOKIE-238
          Paul Sharples made changes -
          Status Closed [ 6 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Reviewable Reviewable Open Open
          51d 23h 32m 1 Scott Wilson 22/Aug/11 11:58
          Open Open Closed Closed
          21d 22h 5m 1 Scott Wilson 13/Sep/11 10:03
          Closed Closed Resolved Resolved
          22d 1h 54m 1 Paul Sharples 05/Oct/11 11:58

            People

            • Assignee:
              Paul Sharples
              Reporter:
              Paul Sharples
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development