Announcement Announcement Module
Collapse
No announcement yet.
Sessions lost in IE9 via cross domain ajax access Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sessions lost in IE9 via cross domain ajax access

    We are building an app with Spring Security 3.1.0-Release. It is a javascript solution allow user to sign in via ajax(jsonp) on their website. It is cross domain ajax scenario. On Javascript side, We are using ajax method of Jquery lib.

    There are two main api urls:

    http: //testclient.com/test.html (test page on domain A,client site)

    https: //xxx.com/auth/login/submit (acces this url with username and paswword to sign in via ajax, domain B, our server app)

    https: //xxx.com/auth/userStatus (retrive user profile in json format after user succesfull login, domain B, our server app)

    Our script firstly access login/submit (first ajax request), and then invoke second request on userStatus to retrive user information.

    The problem is that this works fine in all browsers except IE9 (other IE version work well) in cross-domain scenario. It seems sessions which are generated during "login submit" lost immediately after accessing "userstatus". Authentication also is lost. I implemented a filter to print out sessions after "login submit", authencation name is what I use to login.. but in the userStatus, authcation is null. As a result, I am not logged (session just lost). If script does not load userStatus, session will not lost.

    During submit and userstatus, there is no other http/https request.

    But IE9 work on non-cross domain scenario. If I move test.html to domain B, I can use IE9 to signin without any problem.

    Follows are cookie track info:

    FF:

    After a successful login spring security creates JsessionID cookie with no-secure flag, no http-only flag. for the rest of requests to server, all of them are using same cookie (same jsessionID).

    Track of Request Headers:

    https: //xxx.com/auth/login/submit.htm

    Request Headers Host xxxxx User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E) Accept / ..... Cookie JSESSIONID=CF6C25C92DE3F6D72AAC303363717CE5

    https://xxx.com/auth/userStatus.htm Request Headers Host xxxxx User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E) Accept / ..... Cookie JSESSIONID=CF6C25C92DE3F6D72AAC303363717CE5

    IE9, it seems load different sessionID all the time, even I succesfully logged.

    https: //xxx.com/auth/login/submit.htm

    JSESSIONID B92F27A4E11238DA63FB4BAE57505F0 (domain) yes(secure) no(only http)

    https: //xxx.com/auth/userStatus.htm

    JSESSIONID A4F1BA146D42E5E9238E6DD4E071A9F9 (domain) yes(secure) no(only http)
    Last edited by yiwong2001; Mar 26th, 2012, 11:41 PM.
Working...
X