Invalid JSESSIONID When Open new Form From Within a Form

Hey All,

I have run into an issue into what looks like the JSESSIONID cookie not
being forwarded when loading a new form. I have a link on a form that will
open a new form in another window using the xf:load.

Now when I try and load that form using the following:
<xf:load
resource="{xxf:property('im.rest.uri.workflow-host')}/{instance('create_docuemnt_query_resource')/viewUrl}"
show="new"/>


It loads the new form up fine, however the form that launched that form is
now getting Unauthorised (403) in the `Referrer` form.

I had a look at  this
<https://doc.orbeon.com/configuration/advanced/session>   I have the
following in my properties-local.xml
<property as="xs:string" name="oxf.http.forward-cookies" value="JSESSIONID
JSESSIONIDSSO" />

I did some hunting and I found that that the JSESSIONID cookie is not being
forwarded when loading the new form.
Here are my findings of the JSESSIONID not being forwarded.

I am using WireShark to hunt down the requests here is my full dump for
reference. (Red = Client, Blue = Server)
OrbeonFormRequest.pdf
<http://discuss.orbeon.com/file/t375722/OrbeonFormRequest.pdf>  

The request to trigger the event has the JSESSIONID and the JSESSIONIDSSO,

Cookie: JSESSIONID=U-cBf1-upiVvnl7bMZBXdq_rGyUbEpfbhnGFb5QW.joates-pc;
JSESSIONIDSSO=itX04tXbaFWFghS9hLNwcUB80D5JwqC3bzSQZ5xu

 That's all good, then the server responds and we then trigger the GET
request to go get the new form only the  JSESSIONIDSSO is present in the
Cookies

Cookie: JSESSIONIDSSO=itX04tXbaFWFghS9hLNwcUB80D5JwqC3bzSQZ5xu

So as expected the server sends a Set-Cookie:
Set-Cookie: JSESSIONID=dBAnPKFRKvT8yofK88hMxjgSidyZdlxF6OfsHFaT.joates-pc;
path=/workflow-orbeon

Now when I go back to my 'parent' form anything I do is with the new
JSESSIONID that does not know about the UUID of that form.
As you can see from the last client request

Cookie: JSESSIONID=dBAnPKFRKvT8yofK88hMxjgSidyZdlxF6OfsHFaT.joates-pc;
JSESSIONIDSSO=itX04tXbaFWFghS9hLNwcUB80D5JwqC3bzSQZ5xu

and server response
<error><title>Unknown form document requested.</title></error>

Is this something to to do with using xf:load? or is this possible? I am not
sure how this is different to opening two forms and using them both. (Other
then the Set-Cookie Request)

I hope this makes sense...

Joel.


--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1586075540327-0.post%40n4.nabble.com.

I found the issue!

It was because i had an extra `/` in my url so the context was actually
being chaged!

Thanks Anyway
Joel.


--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1586243997096-0.post%40n4.nabble.com.

Hi Joel,

I'm glad you found what the problem was. So you're saying that the `path=…`
in the `Set-Cookie` header did not matching the new page from which you were
loading the form, hence the browser was not sending the `JSESSIONID`?

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1586314280810-0.post%40n4.nabble.com.

Hi Alex,

Sorry, The Get request I was sending had an extra '/' in it so it was
GET //workflow-orbeon/fr/Documentation_Query/doc-query-1/edit/1 HTTP/1.1
So it was generating a new cookie for //workflow-orbeon rather than
/workflow-orbeon

Joel.

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1586315120836-0.post%40n4.nabble.com.

Hi Joel,

Interesting! I didn't know that Tomcat would send a different `JSESSIONID`
for a request to `/gaga` vs. `//gaga`. And the thing is that when it set the
cookie, it does so with the following, whether it is for `/gaga` or
`//gaga`:

    Set-Cookie: JSESSIONID=…; Path=/gaga; HttpOnly

I'm wondering what other app servers do in a similar situation. Good to
know.

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1586559559539-0.post%40n4.nabble.com.

Hi Alex,
  We are running in Wildfly 11 which is undertow based, not tomcat. Not sure
what the standard says to do in this case but looks like a little bugglet in
either tomcat or wildfly/undertow.

Looks like support for compressing multiple slashes is a tomcat feature
(from https://tomcat.apache.org/tomcat-8.5-doc/config/context.html)

allowMultipleLeadingForwardSlashInPath:
       
Tomcat normalises sequences of multiple / characters in a URI to a single /.
This is for consistencuy with the behaviour of file systems as URIs are
often translated to file system paths. As a result, the return value of
HttpServletRequest#getContextPath() is expected to start with multiple /
characters for some URIs. This will cause problems if this value is used
directly with HttpServletResponse#sendRedirect() as redirect paths that
start with // are treated as protocol relative redirects. To avoid potential
issues, Tomcat will collapse multiple leading / characters at the start of
the return value for HttpServletRequest#getContextPath() to a single /. This
attribute has a default value of false which enables the collapsing of
multiple / characters. To disable this behaviour, set this attribute to
true.



--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1586904131302-0.post%40n4.nabble.com.

Hi Brian,

Interesting; I didn't know about `allowMultipleLeadingForwardSlashInPath`. I
am using Tomcat 8.5 locally, and haven't overridden
`allowMultipleLeadingForwardSlashInPath`, so the default should apply and
the doc says that the "default value of false […] enables the collapsing of
multiple / characters". But this only applies to
`HttpServletRequest#getContextPath()`, so this property doesn't seem to
prevent Tomcat from taking `/orbeon` and `//orbeon` to be 2 different web
apps, each with its session.

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1587163664987-0.post%40n4.nabble.com.