Any gotchas with sessionRotate()?

Hi,

I’m trying to use sessionRotate() to force a new session after a user login, but I can’t get it to work; my session ID stays the same. Using Apache HTTP Server, Tomcat and JEE sessions. No clustering (yet!).

If I set session type to “Application” I can see the session ID changes on either side of the sessionRoatate() call. With JEE sessions, it stays the same.

With Railo I had to resort to some Java trickery to force a session refresh. Is Lucee sessionRotate() meant to work with J2EE sessions? If not what’s the alternative?

Thanks, Peter

When you use JEE Sessions Lucee has no control over the session or the cookie, so SessionRotate() will not work.

Consult your Servlet Container’s documentation for a similar solution, and if you find one please post it here as well for the benefit of others.

Thanks. I will investigate and post back.

This is what I used to do with Railo (From an article by Peter Freitag at SessionRotate solution for JEE Sessions) but it now throws an exception.

<cfset req = getPageContext().getRequest()>
<cfset req.getSession().invalidate()>
<cfset newSession = req.getSession(true)>

I’ve upgraded Tomcat at the same time as swapping to Lucee so the exception could be due to changes in Tomcat.

If you post the exception information with the full Java stack trace then we’d be able to tell more about why it stopped working.

Thanks. Here’s the exception:

Message:javax/servlet/http/HttpUpgradeHandler
Stack Trace:
string	lucee.runtime.exp.NativeException: javax/servlet/http/HttpUpgradeHandler 
at java.lang.Class.getDeclaredMethods0(Native Method) 
at java.lang.Class.privateGetDeclaredMethods(Unknown Source) 
at java.lang.Class.privateGetPublicMethods(Unknown Source) 
at java.lang.Class.getMethods(Unknown Source) 
at lucee.runtime.reflection.storage.SoftMethodStorage.store(SoftMethodStorage.java:68) 
at lucee.runtime.reflection.storage.SoftMethodStorage.getMethods(SoftMethodStorage.java:50) 
at lucee.runtime.reflection.Reflector.getMethodInstanceEL(Reflector.java:490) 
at lucee.runtime.reflection.Reflector.callMethod(Reflector.java:848) 
at lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:799) 
at lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1698) 
at ui.sec_setuplogincookie_cfm$cf.call(/ui/sec_setuplogincookie.cfm:97) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:908) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:833) 
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:827) 
at lucee.runtime.tag.CFTag.doInclude(CFTag.java:328) 
at lucee.runtime.tag.CFTag.cfmlStartTag(CFTag.java:249) 
at lucee.runtime.tag.CFTag.doStartTag(CFTag.java:180) 
at common.site.loginpage_cfm$cf.call(/common/site/loginpage.cfm:90) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:908) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:833) 
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:827) 
at lucee.runtime.tag.CFTag.doInclude(CFTag.java:328) 
at lucee.runtime.tag.CFTag.cfmlStartTag(CFTag.java:249) 
at lucee.runtime.tag.CFTag.doStartTag(CFTag.java:180) 
at ui.act_performaction_cfm$cf.call(/ui/act_performaction.cfm:476) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:908) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:833) 
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:827) 
at lucee.runtime.tag.CFTag.doInclude(CFTag.java:328) 
at lucee.runtime.tag.CFTag.cfmlStartTag(CFTag.java:249) 
at lucee.runtime.tag.CFTag.doStartTag(CFTag.java:180) 
at common_handler_cfm$cf.call(/common_handler.cfm:160) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:908) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:833) 
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:827) 
at lucee.runtime.tag.CFTag.doInclude(CFTag.java:328) 
at lucee.runtime.tag.CFTag.cfmlStartTag(CFTag.java:249) 
at lucee.runtime.tag.CFTag.doStartTag(CFTag.java:180) 
at connect_ti$cf.call(/connect.ti:3) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:908) 
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:833) 
at lucee.runtime.listener.ClassicAppListener._onRequest(ClassicAppListener.java:63) 
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:44) 
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2405) 
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2395) 
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2363) 
at lucee.runtime.engine.Request.exe(Request.java:46) 
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1048) 
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:996) 
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:102) 
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) 
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) 
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) 
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) 
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) 
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) 
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) 
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) 
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) 
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
at java.lang.Thread.run(Unknown Source) Caused by: java.lang.NoClassDefFoundError: javax/servlet/http/HttpUpgradeHandler ... 71 more 

Caused by: java.lang.ClassNotFoundException: javax.servlet.http.HttpUpgradeHandler 
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892) 
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735) 
at org.apache.felix.framework.ExtensionManager$ExtensionManagerWiring.getClassByDelegation(ExtensionManager.java:1010) 
at org.apache.felix.framework.BundleWiringImpl.searchImports(BundleWiringImpl.java:1579) 
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1509) 
at org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:79) 
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1998) 
at java.lang.ClassLoader.loadClass(Unknown Source) ... 71 more

I was using a clean install of Tomcat 7.0.81. Swapped to Tomcat 8.5 and all is well.