views:

1902

answers:

10

I recently built a simple web-app deployed over Tomcat. The app uses pretty standard session based security where a user who has logged in is given a session.

Sessions work fine in Firefox and Chrome, but require the use of jsessionid in the URL for IE (tested 7 & 8), set to medium privacy. In IE 8, I tried to override cookie handling, setting "Allow all 3rd party cookies" and "Allow all session cookies"- no dice. However, when I run Tomcat on my local machine, IE accepts the cookie, and sessions work just fine.

And now, for the HTTP headers.

From Chrome, a logged in user gets a session

GET http://devl:8080/testing/ HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:14:40 GMT

GET http://devl:8080/testing/logout HTTP/1.1
Host: devl:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Referer: http://devl:8080/testing/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397

...

From IE 8, with standard medium level security and privacy-

GET http://devl:8080/testing/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: devl:8080
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: JSESSIONID=192999F922D6E9C868314452726764BA; Path=/testing
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2450
Date: Fri, 26 Mar 2010 14:32:34 GMT

GET http://devl:8080/testing/logout HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://devl:8080/testing/;jsessionid=6371A83EFE39A46997544F9146AA5CEA
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: devl:8080

...

I thought it might be P3P, but on adding a compact policy, nothing changes. This is the standard Tomcat session, so I'm really surprised I haven't been able to find other people with the same problem so far. Anyone have any ideas?

EDIT 4/3/2010 -

Sorry if I didn't make this clear- I've tried from multiple other instances of IE - co-workers down the hall, etc.

EDIT 4/3/2010 -

I've also tried turning on prompting for all cookies, but I don't get a prompt. Setting the domain in the "Set-Cookie" header using Fiddler didn't make a difference, either.

A: 

This has clearly nothing to do with Tomcat, since the cookie is being set - just not accepted by the IE. This must be security issue in IE then. Maybe this MS article would help to tune it.

lexicore
Matt Luongo
+1  A: 

Have you checked that the server time is correct?

I have had similar problems recently with IE not accepting cookies properly. After a lot of head scratching it turned out to be because the time difference between the server and client machines was so big that IE refused to accept the cookie. This was in Apache however.

Giles Smith
There's only a minute time difference, tops =/Thanks for the idea, though- I'll keep that one stashed up my debugging sleeve.
Matt Luongo
+1  A: 

Try using the standard HTTP port (80). I've read about issues with port numbers in URLs regarding privacy/security in IE more than once but can't seem to find relevant links at this time.

Josef
I've also seen this in the past. If you can, test with port 80 to see if you can reproduce the problem.
chris
Thanks for the idea, but this one didn't work either. I ran the site on both 80 and 8080.
Matt Luongo
A: 

What security zone is the dev1 site part of? IE handles cookies and lots of other security differently depending on which zone (and how the zone is configured).

Try setting the dev1 site to explicitly be part of the Trusted Sites for example and see what happens.

Zones:

Internet
Local Intranet
Trusted Sites
Restricted Sites

Also, does the cookie have to be restricted to the /testing path? Try setting it for / and see if that makes a difference.

Goyuix
Usually, the site in in the Internet zone. Neither Trusted Sites nor Local Intranet changes the behavior.
Matt Luongo
@Matt - what about changing the cookie path?
Goyuix
A: 

I would try using the fully qualified hostname of the server. MSIE treats hostname without domains as being in the "Local intranet" and handles security differently.

Specifically, instead of:

http://devl:8080/testing/

Try using something like:

http://devl.mydomain.com:8080/testing/
Jack Leow
Neither is handled as "local intranet"- I'm asked if I'd like to turn local intranet option on, and I chose no.
Matt Luongo
So when you switch to the FQDN, is the only difference the "Host:" header?
Jack Leow
A: 

I agree with Lexicore - the cookie protocol from the web server looks right, so there's something with IE. It would be easier to figure out how to address the issue if we understood better why IE is rejecting the cookie. Alternatively, ask a friend to hit the site for you in IE to help confirm its a server issue not a browser instance issue.

Here is some things to check to help debug with IE and cookies - unfortunately, there's a mess of options to check. Sorry if some of these items seem basic - I just don't wnat to make any assumptions. I'm following along in IE 8.0 for this.

First, browse to the target site (http://devl:8080/testing/) in IE. Then:

  1. Confirm what zone IE classifies 'http://devl:8080/testing/'. (This could explain why its works with Tomcat on your local machine.) The zone is displayed in the bottom bar of the browser and it most likely says "Internet". If it instead says "Local intranet", "Trusted Site", or "Restricted Site", this may be part of the problem and you should update your question or figure out why it isn't classified as Internet.

  2. Double-click on the zone indicator in the bottom bar (presumably "Internet") to open the Security dialog. Is the Security Level for Internet set to Medium-high? If it isn't, this could be part of the problem and you should probably reset it back to match your users.

  3. Select the "Internet" zone and then click the "Custom level ..." button to open the Security Settings dialog. Confirm the "Userdata persistence" option is set to "Enable". The "Userdata persistence" option is in the bottom 1/4 of the list of options in the "Miscenllaneous" section (near the bottom of the section just above the next section "Scripting").

  4. Click OK on each dialog to close both of them.

  5. On the menubar (enable it if it is not enabled), click "Tools" > "Internet Options". Select the "Privacy" tab. I know you mentioned you tried some things here, but those changes may not affect your site if your site is not in the Internet zone or if your site in the "Per Site Privacy Actions" exception list, so its best to just confirm.

  6. Is the privacy setting in the Privacy tab set to Medium? If not, you may want to reset to default.

  7. Click the "Sites" button to open the Per Site Privacy Actions dialog. Is your dev1 site listed? If so, remove it. Click OK to dismiss the dialog. Alternatively, you could force your dev1 site to always Allow cookies.

  8. Click the "Advanced" button. Is "Override automatic cookie handling checked? If so, you might want to uncheck it to match your users. Alternatively, try checking it and checking "Always allow session cookies."

  9. Click OK on each dialog to close both of them.

  10. Confirm the browser is still at target site ('http://devl:8080/testing/'). Click "View" > "Webpage Privacy Policy..." to view the Privacy Report dialog. Does the list include "http://dev1:8080/testing/"? Does the Cookie column indicate "Accepted" for "http://dev1:8080/testing/"?

  11. Select "http://dev1:8080/testing/" from the list. Click Summary to see the Privacy Policy. If set one for the your site, you should see it here. Otherwise, you should get a message that a privacy policy was not found. Look at the bottom of the dialog to see how the site is set to use cookies (compare, always allow, or never allow).

Hope this helps or gives you some ideas to pursue.


Ref:

Bert F
1. The zone is Internet.2. Set to medium-high.3. Userdata persistence is enabled.6. Privacy is set to medium.7. My domain is not in the list- it's empty. I added it to the list, under always allow- it made no difference.8. As I said in the post, these options don't do anything for me.10. The url is included in the list, but has no text under cookies. The top of the dialog read - "Based on your privacy settings, no cookies were restricted or blocked.
Matt Luongo
11. While my URL wasn't listed, all of the children I visited were listed. Summary says that no privacy policy was found. I set the action to allow, but it made no difference.
Matt Luongo
Thanks for the ideas, Bert. #11 looks like it might have some promise, but it kills me that I can set all options to "allow" and this still doesn't work.
Matt Luongo
Okay, at least that rules some things out. Please note my new comment about multiple session ids under the original question.
Bert F
@Matt I find it odd that in #10 the Cookies column is blank for target URL - its acting as if IE doesn't think it's getting any Set-Cookie requests to accept or block. You might try this experiment: under Tools > Privacy > Advanced, turn on "Override automatic cookie handling", uncheck "Always allow session cookies", and set First-party Cookies and Third-party Cookies to Prompt. Then try visiting the site again (same URLs as you traed) and see what cookie IE8 thinks its getting. If you do get jsessionid cookies, I wonder if they are always the same session id or whether session id changes.
Bert F
+1  A: 

This forum concerning P3P seems relevant.

Also have you considered setting your domain and expiration date for the session cookie?

Jon D. Koon
A: 

It seems from what you're saying that you've only seen this issue in IE and only using computers in your office. Is there any sort of "security suite" installed by IT on all office computers, and if so, can you temporarily disable it? Oftentimes, these types of applications hook into IE and muck with its HTTP stack. If you do have software like that installed, do you have a "clean" installation or non-company computer you can test with?

Jacob
+1  A: 

I ran into this exact problem, dug around for a while, and found this:

http://forums.iis.net/p/1147938/1879164.aspx

which says that domain names that have underscores in them cause problems with Windows Server, tomcat and IE

not sure if this fixes your problem (and at this point, you probably don't care) but maybe the next person who comes along can gain some value from it.

johnbr
+1  A: 

Problem: IE8 refused to accept cookies on a site I had built, but Firefox and IE7 worked just fine and had done so for ages - this was stable code.

Solution (for me): My server is in a different time zone to the client machine. The STUPID, IDIOTIC IE8 tries to be clever and refuses to accept cookies (stored in the local client machine) with a 20 minute life. My PHP code was straight from the text book, thus:

setcookie($name,$value,time()+1200);

But it works fine if I change it to, for example -

setcookie($name,$value,time()+120000);

This still leaves me with the problem of making the cookie die after 20 minutes, but at least my users can now use my website with IE8. I pass on this information in case it may help someone else.

Garth