Hello,
Looking for someone to either confirm or refute my theory that
deploying two iframes pointing to two different stateful pages on the
same domain can lead to JSESSIONIDs being overwritten. Here's what I
mean:
Setup
suppose you have two pages that require HttpSession state (session
affinity) to function correctly - deployed at http://www.foo.com/page1
and http://www.foo.com/page2
assume www.foo.com is a single host running a Tomcat (6.0.20, fwiw)
that uses JSESSIONID for session id's.
suppose these pages are turned into two iframe widgets to be
embedded on 3rd party sites: http://www.site.com/page1"
/ (and /page2 respectively)
suppose there a 3rd party site that wishes to place both widgets on
the same page at http://www.bar.com/foowidgets.html
Can the following race condition occur?
a new visitor goes to http://www.bar.com/foowidgets.html
browser starts loading URLs in foowidgets.html including the two
iframe 'src' URLs
because browsers open multiple concurrent connections against the
same host (afaik up to 6 in chrome/ff case) the browser happens to
simultaneously issue requests for http://www.foo.com/page1 and
http://www.foo.com/page2
The tomcat @ foo.com receives both requests at about the same time,
calls getSession() for the first time (on two different threads) and
lazily creates two HttpSessions and, thus, two JSESSIONIDs, with
values $Page1 and $Page2. The requests also stuff data into respective
sessions (that data will be required to process subsequent requests)
assume that the browser first receives response to the page1
request. Browser sets cookie JSESSIONID=$Page1 for HOST www.foo.com
next response to the page2 request is received and the browser
overwrites cookie JSESSIONID for HOST www.foo.com with $Page2
user clicks on something in 'page1' iframe on foowidgets.html;
browser issues 2nd request to
http://www.foo.com/page1?action=doSomethingStateful. That request
carries JSESSIONID=$Page2 (and not $Page1 - because cookie value was
overwritten)
when foo.com receives this request it looks up the wrong
HttpSession instance (because JSESSIONID key is $Page2 and NOT
$Page1). Foobar!
Can the above happen? I think so, but would appreciate a confirmation.
If the above is clearly possible, what are some solutions given that
we'd like to support multiple iframes per page? We don't have a firm
need for the iframes to share the same HttpSession, though that would
be nice. In the event that the solution will still stipulate a
separate HttpSession per iframe, it is - of course - mandatory that
iframe 1 does not end up referencing httpSession state for iframe 2
instead of own.
off top of my head I can think of:
map page1 and page2 to different domains (ops overhead)
use URL rewriting and never cookies (messes up analytics)
anything else?
thanks a lot,
-nikita
