users@glassfish.java.net

Re: could someone explain what the JSESSIONIDVERSION cookie is used for?

From: Dick Davies <rasputnik_at_hellooperator.net>
Date: Tue, 4 Nov 2008 22:04:44 +0000

On Tue, Nov 4, 2008 at 9:21 PM, Jan Luehe <Jan.Luehe_at_sun.com> wrote:
> Hi Dick,
>
> On 11/ 4/08 12:56 PM, Dick Davies wrote:
>>
>> I'm seeing some weirdness with Firefox and my Glassfish cluster; I'm
>> continually being
>> asked to log in.

>> I noticed in addition
>> to the JSESSIONID cookie, there's an integer set called
>> JSESSIONIDVERSION. Can someone
>> explain how that's used?

> GlassFish in-memory replication relies on HTTP session versioning in order
> to be able to
> detect stale sessions, and in order to be able to resume an HTTP session
> with the version
> requested by the client (which would be the session's most recent version).
>
> Session versioning information is carried via a cookie named
> JSESSIONIDVERSION.


Thanks Jan, that makes a lot of sense.

So to clarify, this is something Glassfish (the appserver) is managing,
rather than Roller (the webapp), am I right? It's just it's not always easy to
tell which of the two needs a tweak for any given bug :)

Does the following sound normal, then?

Bear with me and maybe you'll understand why I was asking if there was
a session debugger earlier today :)

Once I've logged in, Safari has 2 cookies

JSESSIONID = <the session id>, path = /
JSESSIONIDVERSION cookie , path = / , contents = /:43

as i click around the webapp, the contents increments: /:44 , /:45 , etc.
and the path remains as /.

But logging in with Firefox 3 and clicking around the app
seems to create multiple cookies called
JSESSIONIDVERSION , each with a different path.

For example, I currently see:


JSESSIONID = <the session id>, path = / , (only send for encrypted connections)
JSESSIONIDVERSION cookie , path = / , contents = /:1
JSESSIONIDVERSION cookie , path = /default/resource/images/ , contents = /:2
JSESSIONIDVERSION cookie , path = /roller-ui/, contents = /:1
JSESSIONIDVERSION cookie , path = /roller-ui/styles/ , contents = /:4
JSESSIONIDVERSION cookie , path = /roller-ui/theme/tan/ , contents = /:5

So Safari seems to (corrrectly?) ignore the path
but firefox treats the combination of path+cookie name as unique,
resulting in duplicate jsessionidversion cookies, one per path, each versioned
independantly (which makes it possible for there to be 2 cookies each
with a version of /:1)

My hunch is that what I'm seeing is

1. firefox goes back to /roller-ui/styles and presents a
jsessionidversion of /:4,
2. glassfish is expecting /:5 and invalidates the session
3. the user gets to curse at the login screen again


Anybody seen anything like this before ??