I have a JSF 2, EJB 3.1, CDI application running on Glassfish 3.1.2. I noticed that the jsession id always changes: for every request sent to the server, the reconfigured page contains links () with a new jsession id, even if the request already contains the jsession id
I do not think this is normal, but I have no idea what might cause this behavior.
I configured:
<session-config> <session-properties> <property name="enableCookies" value="false" /> <property name="enableURLRewriting" value="true" /> </session-properties> </session-config>
but everything else is default, I don't have any weird configuration or custom jsession generation stuff. - Does anyone know what Glassfish / JSF can call to change sessionId?
Example:
The application has a menu that appears on every page. The jsf page contains the following:
<h:link outcome="/search/search">search</h:link>
Now I am describing requests and responses. Requests are simple HTTP GET requests. The answer always contains a full page. No Ajax.
After some basic authentication.
The user enters the start page, contains a menu with a link to the search page, and this link has a jsession identifier (all other links have the same jsessionId) - Details;
- Request:
http://localhost:8080/myApp/start/start.xhtml - Response Content:
<a href="/myApp/search/search.xhtml;jsessionid=8df431e2275052cf2348a4cb793e">search</a>
The user clicks on this link; the returned page contains the menu again, but now all links have another sessionjd - Details:
- Request
http://localhost:8080/myApp/suche/teilnehmer_suche.xhtml;jsessionid=8df431e2275052cf2348a4cb793e - Response Content:
<a href="/myApp/search/search.xhtml;jsessionid=8ebeefb6df144a2fee97d87a51e6">...
User clicks this link again: jsession ID again
- Request
http://localhost:8080/myApp/suche/teilnehmer_suche.xhtml;jsessionid=8df431e2275052cf2348a4cb793e - Response Content:
<a href="/myApp/search/search.xhtml;jsessionid=8f4021c2fa628ce3b9c12c545cc4">...
I can click this link (and every other link) again and again, but the jsession id has changed every time.
More strange: after changing the configuration to use cookies instead of urlRewriting, I see that this behavior is observed even for resource files:
Client request start.xml without jsession id, the server returns Set-Cookie JSESSIONID=a68d3d9260d7ea5fd36a7713eb80; Path=/myapp; HttpOnly Set-Cookie JSESSIONID=a68d3d9260d7ea5fd36a7713eb80; Path=/myapp; HttpOnly Set-Cookie JSESSIONID=a68d3d9260d7ea5fd36a7713eb80; Path=/myapp; HttpOnly in the response header.
The client then requests the css page with Cookie JSESSIONID=a68d3d9260d7ea5fd36a7713eb80 , and the server sends the css file back, but the response header contains a new session identifier: Set-Cookie JSESSIONID=a68d550e5093e246b01ba4220cd3; Path=/myapp; HttpOnly Set-Cookie JSESSIONID=a68d550e5093e246b01ba4220cd3; Path=/myapp; HttpOnly