1

I launched two different instances of JBoss AS 7.1 on my machine on two different ports and deployed the same application (with the same root context) to both of them. This configuration gave me, deterministically, the following exception as I was doing tabbed browsing with the same browser (either Chrome or Firefox or Conkeror):

javax.servlet.ServletException: viewId:/whatever.xhtml - View /whatever.xhtml could not be restored.
javax.faces.webapp.FacesServlet.service(FacesServlet.java:606)
org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62)

When I was browsing with different browsers things were ok.

Upon further investigation on how different browsers store cookies I discovered that the combination (IP / path) has to be unique to avoid such tabbed browsing problems and that the port does not come into play. I.e. cookies are stored per IP and per path but not per port. So doing tabbed browsing with the same browser on two different applications deployed on the same IP and path (but obviously on separate ports) will result in expired views as the browser mixes up the two sessions. I recognize that my setting is unlikely to arise in a production environment but I would like to ask:

  1. is there any standard that defines this cookie organizing behavior?

  2. are there any best practices one must be aware of in order to avoid session mixups when doing tabbed browsing in multiple JSF applications?

  3. does the javax.faces.STATE_SAVING_METHOD have any bearing on this (in my setting it was set to "server") ?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Marcus Junius Brutus
  • 26,087
  • 41
  • 189
  • 331
  • To avoid conflicts, you can also change the session cookie's name for one of the servers, as described [here](http://stackoverflow.com/questions/877064). – f_puras Sep 03 '12 at 12:17

1 Answers1

3

is there any standard that defines this cookie organizing behavior?

Version 0 cookies (Netscape spec cookies) do not support ports in any way.

Version 1 cookies (RFC2965 spec cookies) supports the Port attribute. If this is absent, then version 0 behavior is used.

The average servletcontainer sets the JSESSIONID cookie as a version 0 cookie. You could theoretically override this by providing a custom "Session Manager" in the servletcontainer. Note that MSIE 9 does still not support version 1 cookies.

are there any best practices one must be aware of in order to avoid session mixups when doing tabbed browsing in multiple JSF applications?

The canonical approach in real world projects is to use a different subdomain (on same port!). E.g. beta.example.com, dev.example.com, update.example.com, test.example.com, etc.

does the javax.faces.STATE_SAVING_METHOD have any bearing on this (in my setting it was set to "server") ?

If you set it to client, then the ViewExpiredException will indeed disappear as the view is not stored in the session anymore, but instead in a hidden field of the form. But you might still face other session-related trouble, for sure if you're storing some stuff in the session, such as session scoped managed beans and the logged-in user.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555