« Revisit
Fiddling »

Java Applets Breaking Sessions

I’m writing this down so hopefully some other poor sod doesn’t have to go through the debug session I just spend several hours on.

I have a web application that, among other things, presents content to authenticated users. Most of the stuff is HTML, JPG, GIF, with the occasional Flash applet mixed in. The main “show stuff on a web page” code is about 4 years old and has been working well for a long time now.

One of the users has been playing with Java and wants to include Java applets in the mix. Fair enough, it’s something I like to see and they’re using it for some neato things. Only problem? When the user views a page with a Java applet in it, they are instantly logged out of my web application.

Now the applets are served exactly the same way as the other attachments. Through code that is fairly mature and has been Just Working for a long time.

To cut a long story short, JAVA BROWSER PLUGINS SUCK.
And “java, applet, session, cookie” are absolutely horrible search keywords to try and ask Google about.

It turns out that many (as in probably more than half) Java browser plugins *don’t* send any cookies that the browser has when they request the content from the server. There’re vague mutterings about “security reasons” around the place, but I haven’t found anything concrete. This, in itself, is a nuisance but shouldn’t cause the trouble it does. The added bonus is that they *do* accept cookies from the server and stick them in the browser. So….

  1. Browser sends request to web app
  2. Web App sees no cookie, generates one and uses it as a session key. Gives cookie to browser
  3. Web app realises it doesn’t know who is attached to the cookie and asks for authentication.
  4. User supplies authentication to web app via browser. Web App associates credentials with cookie/session.
  5. Browser requests various bits of content. Web app looks at cookie, gives appropriate content to browser.
  6. Browser Java Plugin requests content. Web app sees no cookie and generates a new one.
  7. Browser Java Plugin accepts new cookie and overwrites browser cookie with it.
  8. Browser requests various bits of content. Web app sees new cookie and jumps to step 3.
  9. User gets confused

Further to my earlier comment about Java applets being the Cool New Way to do web applications 10 years ago… 10 years on and they still can’t get this really trivial operation right.

Java Plugins! Either send the cookies from the browser, or don’t overwrite browser cookies with new ones!

Microsoft killed Java in the browser, but they had a lot of help from Sun.

My solution? For this case, the actual content wasn’t particularly sensitive, so I have a regexp right at the beginning of the http request code that looks to see if it’s a request for a .class or a .jar and if so bypassess all session handling code. For cases where the content does need to be protected, you’d have to pass the session key using some method other than cookies. Perhaps ugly ?sessid=4353453 type stuff.

- Colin

This entry was posted on Wednesday, December 7th, 2005 at 3:55 pm and is filed under Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Java Applets Breaking Sessions”

  1. Chad Says:
    December 12th, 2005 at 8:25 am

    I am having a similar problem with an application that I am developing that protects content. The content that I am protecting are images, flash, and movies. Movies are the problem, I use sessions to store the information for the current content being requested like filename on the server, mime-type, and so on. The problem that I am having is that the windows media player plugin is identified by the server as a different user agent and so the file that I give the embed tag will not see the session created by the browser. I want to refrain from doing this:

    But I’m not sure there is any other way I can let the object.php know that the person wanting to view the content is authorized to do so. I see potential security risks by doing this.

    My object.php will output an image declaring unauthorized access when it doesn’t see session variables it is expecting, it also shows the user their IP and user agent. This is how I know that WMP plugin is seen as a whole different browser according to the server, because in Firefox even though the image isn’t a movie it still outputs the image into the movie container on the page telling me object.php isn’t seeing firefox but media player. It does not however clear the browsers current session it only creates a new session for the ‘media player’ browser. This is really annoying and I have been scouring google to see if there are any other workarounds and your post is the only thing that I found that is similar to my situation. If there is anyone else who has some input to add to this dilemma it would be appreciated

  2. Colin Coghill Says:
    December 12th, 2005 at 4:52 pm

    The two solutions I see are either to pass the session information as a GET variable, or as part of the URL.

    so if the session key is, say ‘abcde’, you’d request the content with “http://blahblah.com/private/fetch.php?name=mysecret.wmv&sessid=abcde”. It takes a bit more work to deal with this on the server side, but it will work.
    I think PHPs session handling gives you the option to put the session information like this instead of in a cookie, but it’s been a while since I used it so I’m not sure what the exact method is.

    I used to encode the session key in the URL to deal with broken web caches (thankfully long gone) so you might do
    “http://blahblah.com/private/abcde/mysecret.wmv”
    I’m not sure how easy this is to cope with in PHP, but it works fine for mod_perl and mod_python.

    Both make the session key obvious to the end user and are a bit ugly visually, but at least should work.

    - Colin

Leave a Reply

You must be logged in to post a comment.