Looking for someone to either confirm or refute my theory that deploying two iframes pointing to two different stateful pages on the same domain can lead to JSESSIONIDs being overwritten. Here's what I mean:
Setup
Can the following race condition occur?
Can the above happen? I think so, but would appreciate a confirmation.
If the above is clearly possible, what are some solutions given that we'd like to support multiple iframes per page? We don't have a firm need for the iframes to share the same HttpSession, though that would be nice. In the event that the solution will still stipulate a separate HttpSession per iframe, it is - of course - mandatory that iframe 1 does not end up referencing httpSession state for iframe 2 instead of own.
off top of my head I can think of:
thanks a lot, -nikita
TL;DR The scenario is correct and one session overrides the other and both pages share the session; but it doesn't matter.
In the example above, you have two near-simultaneous stateless anonymous requests.
In other words, there is absolutely nothing unique about the request; two generic pages will be return. Both these pages would have new JSESSIONIDs not because of the race, but because the requests themselves are anonymous and therefore essentially ask Tomcat to create new sessions.
Lets assume that page2 won the JSESSIONID speed contest and the browser now has the page2 cookie. Then the user clicks on an action in page1. I think you're correct that the request will come labelled with the page2 cookie.
But so what?
Page1 cannot have any session-related information in it, and therefore no user-specific information. The actions from it can therefore have no session-related state (the state was just created). If there is no specific session-related state, then there is no issue with it coming with the 'wrong' JSESSIONID.
Looking at it in another way: If the request for page2 had been completely processed before the request for page1, in what way would page1 be different? I can't see any differences. If there are no differences in the returned HTML in the two scenarios, then it doesn't matter its JSESSIONID is swapped.
OTOH, if the user has already visited bar.com, then the requests for both page1 and page2 will be associated with the same JSESSIONID, the pages that are returned are correct and all is good in the world of foo.com.
One issue: If you have CSRF protection switched on. CSRF libraries modify all URLs in the returned page to include an extra parameter. The CSRF protection library checks all incoming requests that their security token matches the JSESSIONID. If page1 uses the cookie for page2, the CSRF protection would reject the request as forged.
If you have to have one session per iframe: Use URL rewriting. This was originally designed for managing sessions when the browser doesn't accept cookies. It works well but the URLs look nasty.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With