I was using Tomcat 6.0.26 with my project since long time. Now, I need to use EL 2.2 in this project so I moved it to Tomcat 7.0.19 with no other changes (Using Mojarra 2.1.2-b04 with RichFaces 4.0.0). When I start it up, everything is fine until I try any a4j:commandButton or h:commandButton it throw ViewExpiredException even if the application is started for less than a minute (for info, I've forced 30min session timeout in web.xml).
The only thing makes the application works is by changing this setting :
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
It was server and I changed it to client but the server setting is best to keep data server side and don't transfer it to client on each request.
Edit : Looks like the server to client fix the problem of the ViewExpiredException but the user login function on the website doesn't work anymore. It log into the user home, but after any link is clicked, it does the same like the user is not logger (I use a SessionScoped ManagedBean to keep user information).
Anyone have this bug?
Thank you,
Alex.
You will get a ViewExpiredException when the view is not in the session anymore. The described symptoms suggests that the session cookie is not maintained and thus every request has somehow forced the server to create a brand new session.
I can't reproduce your problem locally on a barebones Mojarra 2.1.2 project targeted on Tomcat 7.0.19. The session get maintained perfectly fine. I see the Set-Cookie response header for JSESSIONID on the first request and I see the Cookie request header for JSESSIONID on every subsequent request within the same browser session. That's how it's supposed to work. So the problem is at least not directly related to Mojarra 2.1.2 or Tomcat 7.0.19.
You can use Firebug to see and track the JSESSIONID cookie yourself. That's the first thing I would do. You should check if it's the browser who refuses to send the Cookie request header back (I don't think that this is the case), or that it's the server who sends a new Set-cookie response header everytime (I think that this is the case). If it's indeed the server who re-creates the session everytime even though the browser has sent the Cookie header, then that can only mean that there's an incorrect HttpSession#invalidate() call somewhere in the code base which forces that. Run a debugger to naildown the culprit.
Related
Jenkins was working fine on Firefox until a couple of weeks back.
http://www.sub.domain.com:8080
Then I think there was a Firefox update and by default it was redirecting to
https://www.sub.domain.com:8080
There was no way I could force it to http.
So I went on Chrome and it worked there until this morning when I got the Chrome 77 update.
Same issue all over again.
Then I loaded it up on IE. It works fine. I am able to use
http://www.sub.domain.com:8080
I checked with the admin if they are redirecting all traffic to https but that's not the case. What's happening here? Any browser change that I am not aware of? Any Jenkins config change that I should be using?
Did you check the HSTS cache in chrome? Go to chrome://net-internals/#hsts
Query the HSTS cache there. If there is a result you can clear it using the delete option on that page.
Another thing to check is if your using the Jenkins HSTS filter plugin "which adds a response header indicating that HTTP Strict Transport Security (HSTS) response headers should be sent." See https://wiki.jenkins.io/display/JENKINS/HSTS+Filter+Plugin
I edited and saved some content in controller file and trying to press F5 or Ctrl+F5 to refresh page, it didn't work. I still have the same page.
The current way to solve the problem is to shut down the server and restart it.
I also tried DevTools' disable cache function, but it didn't work either.
Are there other ways to update page after editting controller file in MVC?
Thank you for your help.
F5, crtl+F5 and “disable cache” ensure that the client cache is cleared, but your controller action is executed on server side.
To ensure that the server application is up to date, you need to rebuild your app and you need to ensure that your server uses the updated code.
If you are using IIS (Internet Information Services), you need to recycle the corresponding app pool. If everything is properly configured this should be done automatically, since IIS should monitor the deployed files. If that doesn't happen, you may check your FCNMode.
I'm running Firefox 36.0.4 on Windows 7 32-bit. I've diabled all add-ons, extensions and user scripts before retesting this.
I'd like to step through JavaScript code that is served up in a <script> tag in the HTML document being produced by a Java (Tomcat) web server.
Unfortunately, when I select the HTML document under Debugger > Sources, the source of the page returns to the login page of the application - it appears that session information is not being used to request the source.
I stepped through the server-side code and found that the correct session cookie values were being sent for the real page request and some AJAX requests sent by the page. However, when I tried to load the page source in the JavaScript debugger, I found that an incorrect session cookie was being sent by the JavaScript debugger.
I can replicate this behaviour in other webapps, not just my own. For example, Stack Overflow:
Is this a configuration issue, or a bug in the Firefox Developer Tools?
I can't reproduce your problem using StackOverflow as an example, at least in Firefox Developer Edition ( currently version 38 ):
One thing that might help - try disabling the cache while the toolbox is open - this setting is in the developer tools setting panel ( click on the 'gear' icon at the top right of the toolbox ):
After reviewing canuckistani's answer, I downloaded Firefox Developer Edition. Seemingly, the problem was fixed.
Five minutes in, I became sick of being asked whether to remember passwords and having to manually clear session cookies (I prefer being able to do it by simply closing the browser) - it makes testing easier.
As per usual, I went to Options > Privacy > History to disable this behaviour, by setting the value to Never remember history.
Changing this setting requires the browser to restart. However, upon restarting, I once again saw the same erroneous behaviour - the wrong session cookie was being sent to the web application again.
The workaround here is to not use the Never remember history setting. I have filed a bug report at Mozilla.org Bugzilla.
I have a web app running on glassfish 3.1.1 with struts2 an spring.After i implemented struts2 ssl plugin i had some problems related to jsessionid cookie. The problem was that if i wag going directly to https the cookie was not generated, and i have to ask for http version of the page and then struts2ssl plugin redirects me to https and everything was ok. The second problem is that i decided that after the user had logged in to regenerate the session id (in order to prevent session fixation) and the new session id was nor written to cookie. With all these i decided to use url appended jsessionid, which solved those 2 problems. As you expected there is another problem here, and this is that if i try to access the app via http://myServer:8080/MyApp , the jsessionId is appended correctly, but if the same app is accessed via a glassfish virtualhost the jsessionid isn`t appended anymore.
I suspect a issue with the vhost configuration....
Any ideea?
Thanks,
Adding
<session-config>
<tracking-mode>
COOKIE
</tracking-mode>
</session-config>
into web.xml should do the trick, according to specification
I am trying to deploy a .NET MVC application to GoDaddy servers. I have an Html.AntiForgeryToken on one of my pages that is causing it throw an exception every time I hit it.
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
I have generated a machine key using the following URL
http://aspnetresources.com/tools/machineKey
and have set the pages viewStateEncryptionMode to "Always"
<pages viewStateEncryptionMode="Always">
I am still receiving the error however and am at a lost as to what to do next. Any suggestions would be greatly appreciated.
I finally figured it out. I did a little bit more google searching and found that if I don't clear the cache on the browser it will retain the invalid viewstate. Apparently chrome holds onto some semblance of the viewstate in each consecutive browser unless all of the chrome browser windows are closed down (I use alot of chrome browsers), even when the cache has been cleared.
I found that the code worked by trying it in Firefox and IE which was successful. I then closed down all of the chrome windows (after clearing cache) and restarted. I was then able to navigate successfully to the page with the AntiForgeryToken on it.