4 messages in org.apache.tomcat.usersRe: Losing cookie if hostname differe...| From | Sent On | Attachments |
|---|---|---|
| Rachel Greenham | Aug 10, 2000 5:02 am | |
| Yun Sang Jung | Aug 10, 2000 5:20 am | |
| Brian Richards | Aug 10, 2000 5:24 am | |
| Craig R. McClanahan | Aug 10, 2000 10:07 am |
| Subject: | Re: Losing cookie if hostname different, under apache | |
|---|---|---|
| From: | Craig R. McClanahan (Crai...@eng.sun.com) | |
| Date: | Aug 10, 2000 10:07:00 am | |
| List: | org.apache.tomcat.users | |
Rachel Greenham wrote:
It's an odd one:
It becomes less odd when you understand what is going on ... see below.
It would appear that, under Apache, if you change the hostname by which you access a web server, even if that hostname resolves to the same actual host, Tomcat can't pick up the cookie.
Cookies are matched, in the client browser, by the domain (or domain+host) name that is specified. Therefore, when you change hostnames, it is the *client* that does not know the two names are referring to the same host. Tomcat has nothing to do with this.
ie: As I'm on the same subnet, I start with http://myhost/ but as I progress through the site a redirect or something including just me typing a URL directly, causing a switch to using the FQDN eg: http://myhost.mydomain.etc/, the switch causes Tomcat to mislay the cookie or session object.
It's not mislaid -- "myhost" and "myhost.mydomain.etc" are not the same strings, so they are considered (again, by the browser not the server) to be two different hosts. Therefore, it only sends the cookie back to the hostname that sent it. Use the same name consistently throughout your app.
You should *always* use a consistent host name throughout your web applications. The easiest way to achieve this goal is to use relative URLs for all of your hyperlinks. When the client receives a relative URL, it will automatically use the host name and address of the page containing that link, so the host name will always be the same.
But this *doesn't* happen when Tomcat is used in standalone mode - ie: if I access the same site on port 8080 rather than port 80, and again switch from http://myhost/ to http://myhost.mydomain.etc/ - the cookie/session object remains accessible regardless of changes in the hostname the client makes.
Actually, that sounds like a bug. It should not be accessible.
The problem only occurs when the site is used through Apache, so presumably it's a problem in Apache and/or the JServ connector. I tried uncommenting the ServerName directive in httpd.conf so it explicitly specifies the host's FQDN but it made no difference. Any ideas anyone?
I'm not even sure I should be considering it a bug, as this might be a necessary thing to allow virtual hosting to work in Apache.
FWIW: Apache 1.3.12, Tomcat 3.1 (including mod_jserv.so built from Tomcat 3.1 sources), running on Linux and Sun JDK1.3 beta.
-- Rachel
For further information on how cookies are supposed to work, see the official standard for them: RFC 2109. Among other places, you can find the RFCs using one of the search engines at <http://www.rfc-editor.org>.
Craig McClanahan