ICEfaces
  1. ICEfaces
  2. ICE-9690

Running ICEfaces without cookies causes session flooding on Apache Tomcat

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.3
    • Fix Version/s: None
    • Component/s: Framework
    • Labels:
      None
    • Environment:
      Tomcat 7.0.47
      Java 1.7
      ICEfaces Core/Ace 3.3.0
      Apache MyFaces 2.1.10
    • Workaround Exists:
      Yes
    • Workaround Description:
      Hide
      Implement a servlet filter to catch all resource requests (URL pattern "javax.faces.resource").
      Forcefully attach these requests to one specific session that is managed by the servlet filter.
      This blocks new sessions from being created by "javax.faces.resource" requests when cookies are disabled.
      Show
      Implement a servlet filter to catch all resource requests (URL pattern "javax.faces.resource"). Forcefully attach these requests to one specific session that is managed by the servlet filter. This blocks new sessions from being created by "javax.faces.resource" requests when cookies are disabled.

      Description

      Please follow these steps to reproduce the behaviour:
      * Install an ICEfaces application with ace components on Tomcat7.
      * Use the attribute cookies='false' in the context definition (e.g. in /META-INF/context.xml) to disable cookies and force URL rewriting.
      * Open the Tomcat management application (/manager/html) to view a list of active sessions in the ICEfaces application. It helps to start with an empty session list.
      * Start the application and visit some pages containing ace components.
      * Check the manager application again.

      Expected:
      In single user mode, there should be one active session only.
      Observed:
      Along with the expected "primary" session, a number of additional sessions is being spawn on each page visit.

      The expected behaviour can be observed when cookies are enabled (cookies='true' in the context definition).
      Other servlet-containers besides Tomcat may be affected as well (not tested).

      The issue may be related with ICE-2438 (Support for browsers with cookies disabled).

      Current state of analysis:
      The flooding is caused by requests for JSF resources, which contain "javax.faces.resource" as part of their URL.
      These requests do not seem to be affected by URL rewriting and do not contain a session id in the URL.
      As a result, these requests spawn new sessions.
      There may be other types of requests that behave similar, but so far none have been found.

      Based on this, a workaround described below has been developed.

        Activity

        Innova Developer created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Innova Developer
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: