[#BLZ-111] New HTTP session created on every poll request if cookies are disabled on the client.

BlazeDS

New HTTP session created on every poll request if cookies are disabled on the client.

Created: 03/28/08 09:14 AM Updated: 04/01/08 03:20 PM

Component/s:

Channels: Polling AMF, Channels: Polling HTTP

Security Level:

Public (All JIRA Users )

Severity:	Incorrectly Functioning
Reproducibility:	Every Time
Discoverability:	Medium
Found in Version:	BlazeDS 3.0.1
Milestone:	BlazeDS 3.0.1
Affected OS(s):	All OS Platforms
Steps to Reproduce:	« Hide Steps to reproduce: 1. Disable cookies in your web browser. 2. Run test that uses amf or http polling. 3. Look at the HTTP session count for the web application. Actual Results: See a new HTTP session get created for every poll request. Expected Results: This can cause lots of HTTP sessions to get created on the server which could cause performance/scalability problems. Maybe there is some way for us to check for/require cookies to be enabled and deny the request otherwise. Notes: The Tomcat manager application gives session numbers per web application so you can use this to see how many sessions have been created. Show » Steps to reproduce: 1. Disable cookies in your web browser. 2. Run test that uses amf or http polling. 3. Look at the HTTP session count for the web application. Actual Results: See a new HTTP session get created for every poll request. Expected Results: This can cause lots of HTTP sessions to get created on the server which could cause performance/scalability problems. Maybe there is some way for us to check for/require cookies to be enabled and deny the request otherwise. Notes: The Tomcat manager application gives session numbers per web application so you can use this to see how many sessions have been created.
Language Found:	English
Bugbase Id:	none
Triaged:	Yes
Regression:	No
QA Owner:	aglosban
Resolved by:	Seth Hodgson
Participants:	aglosban, Seth Hodgson and Trevor Baker
JDK:	Sun JDK 5
Application Server:	Apache Tomcat 6.x

All

Comments

Sort Order:

[ Permlink | « Hide ]

Trevor Baker - [03/28/08 09:59 AM ]

Anything we can do here?

[ Permlink | « Hide ]

Seth Hodgson - [03/28/08 03:40 PM - edited ]

Fixed in 3.0.x in revision 1007 and in trunk in revision 1008.

This actually is fixed/prevented before the client issues any poll requests. If the browser is configured to not allow session cookies, upon the second request to the server we detect this and return an error to the client. The ErrorMessage has a code of "Server.Processing.DuplicateSessionDetected" allowing client code to generate a custom alert to the end user. The duplicate sessions are also immediately invalidated on the server (no reason to wait for regular session timeout).

We require that the client support session cookies for HTTP-based channels/endpoints.

Note that the best solution is to detect and warn for this condition on the client using Javascript before the Flash player is even in the picture.

[ Permlink | « Hide ]

aglosban - [04/01/08 03:20 PM ]

Verified. Disable cookies in the browser and run a test that uses a polling amf channel. Verify that you get the duplicate session id message that Seth talks about in his fix. Note: I tested this on Firefox but in IE couldn't get my cookie handling to be disabled. I did verify that I only had one session on the server and not 1 session per poll request.