Skip navigation
Currently Being Moderated

CF10: Apache returns 404 when ;jsessionid is appended

Oct 15, 2012 4:24 AM

Tags: #apache #64bit #connector #cf10

Hi all,

 

we are currently upgrading a SLES 11 Server to CF10 64bit.

Last week we spend 2 days to eliminate a problem with the connector.

Apache refused to deliver CF-Pages. The log file said that mod_jk could not connect to the cfusion instance - Error 503...

 

We finally fixed this by copying a mod_jk binary from a working CF10 Server to this one.

Now Apache (2.2.23) serves all CF pages flawlessly.

 

What I just discovered was a problem, when a client doesn't accept cookies and J2EE-Sessions are turned on.

A URL with the sessionid appended (as for example cflocation creates it) results in a 404 error:

http://xxxxx.xxxxxx.com/login.cfm;jsessionid=xyxxyxyxyxyxyxy

 

I remember such a problem from a CF6/7 install, but that was IIS on Windows.

 

I'm just stuck with this one.

Can somebody please help?

 

Regards

Joerg

 
Replies
  • Currently Being Moderated
    Oct 15, 2012 6:27 AM   in reply to Joerg.Zimmer

    Joerg, want to help (or help others help you). You say you “are stuck”, but said after “copying a mod-jk binary…Now Apache (2.2.23) serves all CF pages flawlessly.” Can you clarify what you are seeking then? Just an explanation? Or is something still broken?

     

    You did find the culprit: with j2ee sessions enabled, a cflocation (without addurltoken=”no”) will cause it to create a URL with the sessiontoken added. Or if a client does not send cookies, then the urlsessionformat function will do it.

     

    Or are you wondering more why (if all that was the same before) it worked before your upgrade to 10? In that case, it may help to specify what changed (CF, OS, web server) in terms of product or version.

     

     

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 16, 2012 9:03 AM   in reply to Joerg.Zimmer

    Regarding 404 and jsessionid in earlier versions of ColdFusion, there was an option you could enable in the connector settings so that the webserver would stop trying to parse the semicolon-jessionid (;jsessionid=) from the url.  That setting is no longer applicable, but for reference here's a blog on it:

    http://www.talkingtree.com/blog/index.cfm/2004/7/23/JSessionID404

     

    I tried to reproduce the issue you describe with CF10, but could not.  I have CF10 (unpatched as of now) on CentOS 6.3 linux with Apache 2.2.15 (default settings).   When I enable j2ee sessions and test a sample app that uses session management, I noticed that jsession id is no longer added with a semicolon, but rather it is now delimited with an ampersand &.   If I dump the session scope, I see that session.urlToken has for example a value like this:

     

    CFID=4100&CFTOKEN=f8e872170c5ba331-26C7CDF6-ECC3-EA3D-C19BEAE3B75DD04 3&jsessionid=46424487C9E38C2640741E76C4B50D38.cfusion

     

    Notice the & delimiter rather than a ; delimeter.  So I'm curious as to why your configuration has a ; instead.

     

    I tested enabling and disabling cookies, and all cases a) the delimeter remained &, and b) I never encountered a 404 (verified in the error_log/access_log). 

     

    I also tested manually replacing the & with a ; in the URL, and the page still resolved correctly.

     

    The only unsual behavior that I noticed is that when cookies were disabled, my CFID and CFTOKEN remained the same every request but the J2EE jsession id changed every request.  Not sure what to say about that.  When I renabled cookies, I found that all 3 tokens remained constant.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 16, 2012 9:25 AM   in reply to Steven Erat

    Looking for where the semicolon might be coming from, I noticed that in ColdFusion 10 urlsessionformat() still outputs a ; delimiter, even though cflocation addtoken uses an ampersand & and so does session.urltoken.

     

    When I formatted a link with urlsessionformat that the link was created with a semicolon and the link still worked.  I did not get a 404. 

     

    Your application may be using urlsessionformat on links, so if you don't find the Apache configuration option to allow semicolon delimiters, you could try replacing usage of #urlsessionformat('somepage.cfm')# with 'somepage.cfm?#session.urltoken#' instead. 

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 16, 2012 4:30 PM   in reply to Steven Erat

    Steven, great stuff. As for your last point, that’s the session fixation protection (new in CF10, or added in the security hotfixes on CF 9/9.0.1 or included in 9.0.2). The change of the sessionid under the cover is now automatic. Just google coldfusion session fixation to find more on that.

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 16, 2012 4:32 PM   in reply to Steven Erat

    More good stuff. Thanks. Seems like a bug in urlsessionformat (overlooked in the update that changed the ; to & in cflocation’s addtoken). Hope one of you will open a bug report.

     

    In the meantime, rather than swap the function (since it includes logic you’d need to replicate), I’d propose instead wrapping it in a replace function that just changes the ;jsessionid to &jsessionid.

     

    Hope that’s helpful.

     

     

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 6:59 AM   in reply to Joerg.Zimmer

    Joerg, before you file a bug report (which may well be warranted), since you say you applied Update 3 and it didn’t change things, here’s something you want to confirm (and may have missed).

     

    The technote for the update does say that after applying the update, you would reconfigure the web server connectors (which for most means re-run the CF web server configuration tool).

     

    Especially in this case where you have an issue with the web server connectivity, this may be key if indeed it may have been addressed. Of course, it’s not mentioned as being fixed in the technote, but still…

     

     

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 7:45 AM   in reply to Joerg.Zimmer

    @Joerg Yes, I know the J2EE Servlet specification describes the jsessionid token as delimited by a semicolon (at the time I last read it 6 or 7 years ago).   But I did notice that session.urltoken and cflocation addtoken now use an ampersand to delimit jsessionid, and I'm not sure why (more later on that).  I would like to just say that in my configuraiton I did not reproduce the issue even with urlsessionformat where a ; was used. 

     

    My config was Apache 2.2.15 64bit on CentOS 6.3 (~RHEL 6.3), with CF 10 final.  I disabled cookies using Safari and Firefox to test and urlsessionformatted links with ;jsessionid worked ok on that env.   Your own environment obviously differs, but I don't have that env to test myself.   

     

    The problem as I see is that your Apache server is attemping to parse the URL before the CF Connector tries to.  In CF9 and earlier, the connector config file had a setting to make the CF Connector parse the URL first, bypassing the webserver's attempt to parse it.  I don't know of an equivalent means in CF10 of forcing the connector to be the only one parsing the URL.

     

    @Charlie, I'm generally aware of the session fixation issue, and have been keeping up with most blog posts and email threads that I found on the topic, but I doubt I've reflected on them as carefully as you have.  I've been unable to find any references to the change in the delimiter from ; to & for jsessionid.  Perhaps I don't fully understand the issue yet.

     

    Curiously, as an aside, I did notice that the documentation for urlsessionformat() in CF8, 9, and 10 (at least) shows what I believe is an incorrect example of the function result.  It shows ...index.cfm?jsessionid=NNNNNNN...;cfid=NNNN=;cftoken=NNNNNNNNNN where the jsessionid is NOT delimited by a semicolon but rather a ? mark.  The actual output is ...index.cfm;jsessionid=NNNNNNNNNN... where a ; delimiter is used rather than a ?. 

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 7:43 AM   in reply to Charlie Arehart

    @Charlie, ok, my second pass reading your reply makes better sense.  I see that you were referring to as to why the jsessionid was changing when cookies are disabled.  Got it.  I thought you were referring to the change in delimiter.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 7:48 AM   in reply to Steven Erat

    Hey Steven, as for my reply to you earlier, I was only speaking to your observation that the jsessionid value was changing. It’s about that that this session fixation change is having an impact.

     

     

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 7:53 AM   in reply to Joerg.Zimmer

    Yikes, Joerg. That’s not one I’ve seen, but then I don’t work much with *nix or Apache.

     

    Here’s a question to help you resolve things, or help others help you: in doing this reconfig of the connectors, was that any different than what you’d done before, when first setting things up? I’m just trying to know (and have others here know) how familiar you already are with configuring the connectors.

     

    I wouldn’t see why, if you’d done them before, and you just added the hotfix, that then running them again would break so violently for you.

     

    I suppose if you can’t resolve it, or someone doesn’t chime in, then in the interest of time it may be best just to reinstall. I’ll understand if you may then be hesitant to rebuild the connectors after applying that update 3, if you think doing so breaks.

     

     

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 7:58 AM   in reply to Joerg.Zimmer

    @Joerg, if the connector install script is using verbose -v then did you notice anything unusual in the wsconfig.log to indicate there was a problem?  How about trying the -apxs option which will force build a new connector on your system rather than plugging in a pre-built connector.  (using -apxs requires package httpd-devel).  I've seen Apache seg fault when CF added the wrong connector for my architecture.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 8:51 AM   in reply to Joerg.Zimmer

    Yes, sorry for brevity. I meant to use the wsconfig tool with the -apxs option which will force wsconfig to build a connector from source and compile it against the libraries on your system for best compatibility. So you set up the commandline as you would normally do (or copy and modify the cmd line from a pre-existing connector install script), then add in the -apxs option, and its best to include the -v option too for maximum output.  

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2012 9:42 AM   in reply to Joerg.Zimmer

    Eeeep.  My fault.  Apparently there is no explicit -apxs switch anymore.   It seems that use of apxs to build a connector from source is built into wsconfig now, and wsconfig will determine if it needs to build from source or not, but you cannot tell it to manually do so. On my CentOS, it builds the connector from source each time even though I don't call out -apxs.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 20, 2012 7:43 PM   in reply to Joerg.Zimmer

    Could someone try clicking this link on Apache: <cfoutput><a href="#urlSessionFormat('/')#">home</a></cfoutput>

     

    When J2EE sessions are enabled and cookies disabled, I see that clicking a link to urlSessionFormat('/') triggers a 404 on IIS due to the "/;jsessionid".  Does that also 404 on Apache?  I'm unfamilar w/ Apache, so I'm curious.

     

    Thanks!,

    -Aaron

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 23, 2012 3:21 AM   in reply to Steven Erat

    could try replacing usage of #urlsessionformat('somepage.cfm')# with 'somepage.cfm?#session.urltoken#' instead. 

    Hi Steven,

     

    I tried this on CF9 and CF10 w/ cookies disabled, J2EE Sessions enabled, and verbose logging enabled in the web server connector.  I'm seeing that CF9 properly finds the jsessionid session identifier and does not create a new jsessionid cookie on each request.  However, I'm seeing that CF10 does not find the jsessionid session identifier and creates a new jsessionid cookie on each request.  Basically, that's not maintaining a session for me in CF10 - while it does maintain session in CF9.

     

    Could anyone verify?  My CF10 test was ran on x64 Windows 7, so perhaps what I'm seeing is specific to that connector.

     

    Thanks!,

    -Aaron

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 23, 2012 3:35 AM   in reply to itisdesign

    Hi Joerg,

     

    I'm seeing that a jsessionid immediately following a forward slash ('/;jsessionid=x') is not treated as '/' by CF's web server connector and therefore an attempt to find a match for URI '/index.cfm' is never made.  However, this issue also exists in CF9.0.1.  Thus, I haven't yet found a scenario where ;jsessionid causes a 404 in CF10 that didn't already exist in CF9.  I've tried tho.

     

    Thanks,

    -Aaron

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 23, 2012 3:37 AM   in reply to Joerg.Zimmer

    <a href="/;jsessionid=E1FF803C751A6252E9EDD559ABD06EFE.cfusion">

     

    AHA!  Thanks Joerg for that clarification!  Yes, I wondered if that was the case (jsessionid immediately following the forward slash).  However, that also fails for me in CF9.  Does that work for you in CF9?

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 23, 2012 3:42 AM   in reply to itisdesign

    Hmm, I see it was also throwing a 404 for you when jsessionid follows a file (ex: login.cfm;jsessionid=x).  Hmm..  I wonder if this issue is specific to the Apache web server connector in CF10.  However, I see that Steven verified that he sees the expected result.  Well, I'm not yet sure how you're both seeing different results w/ CF10+Apache.  Interesting.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 23, 2012 10:55 PM   in reply to Joerg.Zimmer

    Hi Joerg,

     

    Is your setup the same as you described here?  http://coldfused.blogspot.com/2006/09/handling-j2ee-session-with-cooki es_12.html

     

    I found that post when researching urlSessionFormat/J2EE Sessions.

     

    I've logged the following bugs which, when fixed, would help you w/ urlSessionFormat() and J2EE sessions.  I'm not sure if any of them will solve the issue you mention in this thread, but they still should be fixed regardless.

     

    3352056 - https://bugbase.adobe.com/index.cfm?event=bug&id=3352056 (CF9 vs CF10 wrt urlSessionFormat() w/ J2EE sessions)

    3352067 - https://bugbase.adobe.com/index.cfm?event=bug&id=3352067 (web server connector 404s when URL contains '/;jessionid=x' (jsessionid after forward slash))

    3352078 - https://bugbase.adobe.com/index.cfm?event=bug&id=3352078 (CF9 vs CF10 wrt jsessionid in query string (maintained vs broken sessions))

     

    I'm about out of ideas for now.

     

    Hope that helps!,

    -Aaron

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points