Java / JSP lost session value on redirect - FIXED
When I was coding a Java web application last month, I came across this strange problem - The JSP page and Java servlet kept losing session values on a login page and the browser sent me back to the login page after first login attempt but subsequent logins were fine.
This problem didn't happen in my development environment which is JDeveloper on Windows. The problem only occurred after I deployed the application to test server and production server.
After two days struggling with it, I gave up and changed to using JSP forward for the login. This made the application work in both test and production, but I always had the urge to find out what the real problem was.
After a month of no action, I decided to have another look into the problem. This time I saw there was a slight change in the URL when the browser sent me back to the login page. After searching the net about Java's sendRedirect method, the cause of the problem was found to be in the round trip that sendRedirect method does between the web browser and the web server.
In the first trip the application used a URL with an alias of the DNS (Domain Name Server) name which was different to the second trip where the true DNS name replaced the alias in the URL.
Here is the code snippet that caused the problem.
Here the path starts with "/" which is interpreted as relative to the application's web context root. This slash is interpreted by Oracle Application Server as the server's DNS name rather than its alias.
To understand how the round trip caused the problem, let's look at how sendRedirect works in a round trip.
When we call the sendRedirect method with a destination page url, our web browser first sends the request to the web server. At this moment, the server does not do the redirect straightaway. Instead, it sends a header back to the user's browser. This header contains the destination page url. The browser then uses this header to make another fresh request to the same web server or a different web server (based on what the destination page's url is) for redirection.
The session object is created on my login page which uses the alias of the DNS name as part of the site domain. When the web server sends the header back to my browser, because the redirect url starts with "/", the server interpreted it as its DNS name and used that as part of the domain. This changed the alias part of the redirect url.
Should redirect to: http://test_srv_dns_alias.mysite.com/jsp/destination.jsp
But changed and redirected to: http://test_srv_dns.mysite.com/jsp/destination.jsp
Session object created on test_srv_dns_alias of the login page cannot be seen on test_srv_dns which is part of the changed url domain.
To fix the problem, we have to hardcode alias in the redirect url. Simply using slash "/" does not work.
Note that JSP redirect (not Java redirect as shown above) is similar as long as you pass in a response object in HttpServletResponse type.
Note that JSP redirect behaves differently to JSP forward <jsp:forward page="/jsp/destination.jsp" />, but this is not what I'd like to go into details here. Search the web you'll find bunches of useful resources on this topic.
Hope this helps you again on a busy coding day.
Copyright © 2013 GeeksEngine.com. All Rights Reserved.
This website is hosted by LunarPages.
No portion may be reproduced without my written permission. Software and hardware names mentioned on this site are registered trademarks of their respective companies. Should any right be infringed, it is totally unintentional. Drop me an email and I will promptly and gladly rectify it.