XHR + JSESSIONID + dwr requests

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

XHR + JSESSIONID + dwr requests

jmzc
Hello:


We've got a GWT web application with cross-domain support.
All request are implemented by GWT RPC native method ( XHR objects )

We're using DWR 3.0.0 RC2-final for Reverse Ajax ( server pushes to client )

Initially , the browser performs a XHR call  , and the server (Tomcat)
creates a new HTTP session and returns JSESSIONID cookie. All fine.

Remote Address:
127.0.0.1:80
Request URL:
POST http://www.mydomain.es/webapp/webapp/service/exe.do



Later, when DWR engine performs DWR calls ( /GET method + query string
as parameter ) , it doesn't send JSESSIONID , so a new HTTP session is
created

Remote Address:
127.0.0.1:80
Request URL:
GET http://www.mydomain.es/webapp/dwr//call/plaincall/AjaxManager.handshake.dwr?
.....

And I want to keep the same HTTP session

Both of them calls invoke a URL in the same domain & same web context,
so browser should choose the first JSESSIONID cookie for the second
GET request , right ?
any difference with XHR requests ?

Any ideas ?

Thanks and regards
Reply | Threaded
Open this post in threaded view
|

Re: XHR + JSESSIONID + dwr requests

Mike Wilson
Administrator
Yes, the JSESSIONID should be shared if this is the same webapp. If they are
not the same webapp then the container will probably scope JSESSIONID with a
path mapping to the respective webapp's contextPath, and then you will end
up with two different cookies and sessions.
So lookup cookie details in your favourite browser's developer tools and see
if cookie paths are the way you want them.
Btw, there is a newer version of DWR; 3.0 RC3.

Best regards
Mike Wilson

Jose María Zaragoza wrote:

> Hello:
>
>
> We've got a GWT web application with cross-domain support.
> All request are implemented by GWT RPC native method ( XHR objects )
>
> We're using DWR 3.0.0 RC2-final for Reverse Ajax ( server
> pushes to client )
>
> Initially , the browser performs a XHR call  , and the server (Tomcat)
> creates a new HTTP session and returns JSESSIONID cookie. All fine.
>
> Remote Address:
> 127.0.0.1:80
> Request URL:
> POST http://www.mydomain.es/webapp/webapp/service/exe.do
>
>
>
> Later, when DWR engine performs DWR calls ( /GET method + query string
> as parameter ) , it doesn't send JSESSIONID , so a new HTTP session is
> created
>
> Remote Address:
> 127.0.0.1:80
> Request URL:
> GET
> http://www.mydomain.es/webapp/dwr//call/plaincall/AjaxManager.
> handshake.dwr?
> .....
>
> And I want to keep the same HTTP session
>
> Both of them calls invoke a URL in the same domain & same web context,
> so browser should choose the first JSESSIONID cookie for the second
> GET request , right ?
> any difference with XHR requests ?
>
> Any ideas ?
>
> Thanks and regards

Reply | Threaded
Open this post in threaded view
|

Re: XHR + JSESSIONID + dwr requests

jmzc
In reply to this post by jmzc
Thanks for your reply

Finally I found the reason. It doesn't have to do with DWR, but I want
to share the solution

By default, XHR doen't send cookies to cross-domains. So, you have to do:

On client side
xhr.withCredentials = true

On server side ( CORS):
resp.headers['Access-Control-Allow-Credentials'] = 'true'


Bad news:

1) if you set Access-Control-Allow-Credentials = true, you cannot set
Access-Control-Allow-Origin = *
2) CORS is not fully supported by older IE browsers


So, I may use JSOP

Regards



>Yes, the JSESSIONID should be shared if this is the same webapp. If they are
>not the same webapp then the container will probably scope JSESSIONID with a
>path mapping to the respective webapp's contextPath, and then you will end
>up with two different cookies and sessions.
>So lookup cookie details in your favourite browser's developer tools and see
i>f cookie paths are the way you want them.
>Btw, there is a newer version of DWR; 3.0 RC3.

>Best regards
>Mike Wilson


2015-03-26 17:42 GMT+01:00 Jose María Zaragoza <[hidden email]>:

> Hello:
>
>
> We've got a GWT web application with cross-domain support.
> All request are implemented by GWT RPC native method ( XHR objects )
>
> We're using DWR 3.0.0 RC2-final for Reverse Ajax ( server pushes to client )
>
> Initially , the browser performs a XHR call  , and the server (Tomcat)
> creates a new HTTP session and returns JSESSIONID cookie. All fine.
>
> Remote Address:
> 127.0.0.1:80
> Request URL:
> POST http://www.mydomain.es/webapp/webapp/service/exe.do
>
>
>
> Later, when DWR engine performs DWR calls ( /GET method + query string
> as parameter ) , it doesn't send JSESSIONID , so a new HTTP session is
> created
>
> Remote Address:
> 127.0.0.1:80
> Request URL:
> GET http://www.mydomain.es/webapp/dwr//call/plaincall/AjaxManager.handshake.dwr?
> .....
>
> And I want to keep the same HTTP session
>
> Both of them calls invoke a URL in the same domain & same web context,
> so browser should choose the first JSESSIONID cookie for the second
> GET request , right ?
> any difference with XHR requests ?
>
> Any ideas ?
>
> Thanks and regards