liuttorrie 2009-05-03
Last week when I was deploying the system in customer's company I encountered a very strange problem: the objects stored in session sometimes lost due to unknown reason。My environment is windows 2003 server+tomcat+Internet Explorer.
As I know,servlet's session normally relies on two mechanisms, cookies, or url rewriting. If cookies are disabled, then we must use response.encodeURL to append jsessionid to url. After some study, I found that my problem is due to the browser can not accept cookies or the server does not send cookies, therefore after page forwarding without encodeURL the system failed to retrieve objects stored in session previously.
Then I checked the setting of browser, cookies are still allowed. Also, in tomcat's context setting, cookies are still set to "true", that means both client and server do not explicitly disable the cookies. So, what caused my cookies can not work properly?
I spent whole afternoon to research on this issue, finally I found the reason. The reason is that my host name contains an underscore ("_") thus it's invalid. Due to the invalid host name, cookies are never created by browser.
This error occurs when using Internet Explorer 5.5 and 6.0 or later with the Microsoft Patch MS01-055. When Internet Explorer is updated, it then becomes compliant with RFC 952, which defines and restricts host and domain naming conventions. This compliance is to avoid certain security vulnerabilities with session cookies, as explained in this Microsoft Knowledge Base Article #316112 excerpt:
"ApotentialsecurityvulnerabilityexistsinInternetExplorerversions5.5and6.0inwhichamalicioususercouldcreateaURLthatallowsaWebsitetogainunauthorizedaccesstocookiesthatarestoredonaclientcomputerandthen(potentially)modifythevaluesthatarecontainedinthesecookies.BecausesomeWebsitesusecookiesthatarestoredonclientcomputerstostoresensitiveinformation,thissecurityvulnerabilitycouldexposepersonalinformation.SecuritypatchMS01-055correctsthissecurityvulnerabilitybypreventingserverswithimpropernamesyntaxfromsettingcookiesnames."
TheRFC952documentdefinesthepropersyntaxforahost/domainname.
"A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). Note that periods are only allowed when they serve to delimit components of "domain style names". (See RFC-921, "Domain Name System Implementation Schedule", for background). No blank or space characters are permitted as part of a name. No distinction is made between upper and lower case.There are several workarounds:
1. change the fully qualified host name of the server so that it is compliant with RFC 952.
2. use IP address instead of host name
3. use URL rewrite for cookies
Finally, I changed my host name and the problem was solved.