Closed Bug 316188 Opened 20 years ago Closed 20 years ago

duplicate JSESSIONID in 2 browsers with same URL

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 117222

People

(Reporter: romanticbit, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8) Gecko/20051025 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8) Gecko/20051025 Firefox/1.5 I wrote a ChatRoom application. In that case, I launch two firefox browsers(instances), then typed "http://localhost:8080/ChatRoomDemo/login.jsp" in 2 browsers and return. When I swtiched to Tomcat(5.0.28) debug mode and the session id, I found 2 session id from 2 firefox instances comes equal. Surprisingly, I tried Internet Explorer 6.0, the result comes total different, just 2 different session id with 2 IE browser instances. I don't know why firefox has such serious problem, which will seriously affect lots of web application. Finally, I tried disable the cookie from 'localhost', and rewrite my source code to use 'response.encodeURL' to enable url rewriting when cookie is disabled. And repeat the above operations. This time, I check the html source code when login.jsp rendered, in 2 firefox browser, I found the JSESSIONID returned from Tomcat is actually different. Such as:(html code in login.jsp) 1.<form action="/ChatRoomDemo/login/;jsessionid=4E72B2339DD5458CA45420822446F0C0" method="post" id="loginForm" name="loginForm"> 2.<form action="/ChatRoomDemo/login/;jsessionid=57119AB402CF1A71C9FDB02EA3CB6BCE" method="post" id="loginForm" name="loginForm"> So I am sure the problem is unrelated to Tomcat, that is FireFox's problem - it doesn't update the cookie instead dupicated it when sending the same url request in multiple firefox browsers, which probably is not consistent with HTTP protocol !!! I hope the firefox developers could pay more attention to this bug, and fix it as soon as possible. Thanks Reproducible: Always Steps to Reproduce: 1.Visit a website in first firefox browser with some url 2.Visit a website in second firefox browser with the same url 3.Check the cookie relate to that website in those 2 browser instances 4.You will find your checks in 2 browser will be dramatically same - cookie is ducplicated, not updated! Actual Results: This problem will corrupt lots web application which use session tracking mechanism Expected Results: The JSESSIONID is a special value in cookie. It should be updated or invalidated when session is expired, or browser is closed, or the same url is requested again. So the way of JSESSIONID's storage may be somewhat different to normal cookies. I think maybe the problem is a serious one, otherwise, how come the bug hasn't been fixed for such a long time. Meanwhile, I will study the source code of Tomcat 5 to learn the session id generation algorithm.
I'm guessing you are using *** This bug has been marked as a duplicate of 117222 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.