JSession cookie dropping cause DuplicateSessionDetected exception when use https rather http

Question

I developing Grails+BlazeDS server and Flex AIR client and stucked with this error: Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly

Google searches didn't successfully, as I see some difference in situations. The issue I got only when Flex client interact with server via https.

Flex client:

<s:ChannelSet id="userChannel">
           <s:SecureAMFChannel uri="https://localhost:8443/Con/messagebroker/amfpolling" />
</s:ChannelSet> 

button click in UI triggered login method:

loginResult.token = channelSet.login(usernameInput.text, passwordInput.text);

And finished with DuplicateSessionDetected exception. :(

After investigating network monitor logs, I found that jsession cookie received from server not set in next requests to a server:

Response from server (operation: client_ping)

    HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F58F1ADA97E70915EF9E6E4EE1AEBE00; Path=/; Secure
Content-Type: application/x-amf
Content-Length: 173
Date: Sun, 23 Feb 2014 10:17:00 GMT

Flex Message (flex.messaging.messages.AcknowledgeMessageExt)     clientId = EA18E8B9-951F-6F87-7B47-48B8B202EE75    correlationId = 7D2782C1-C8A5-41A3-2055-5E3F771424C8    destination = null    messageId = EA18E8F6-9E0E-1FE4-0D26-6F0E602F5C5E    timestamp = 1393150620542    timeToLive = 0    body = null    hdr(DSMessagingVersion) = 1.0    hdr(DSId) = EA18E8B9-950B-4B42-EF70-369D656BA3F2

And next request to server (login operation) without jsession cookie:

POST /Conn/messagebroker/amfsecure HTTP/1.1
Referer: app:/BlazeDSClient.swf
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 12,0,0,68
Content-Type: application/x-amf
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/4.0
Host: localhost
Content-Length: 299

Flex Message (flex.messaging.messages.CommandMessage)     operation = login    clientId =  null    destination =  auth    messageId =  7B47BBF2-08C0-0E41-5D88-5E3F76FA4882    timestamp =  0    timeToLive =  0    ***not printing credentials***

and server answering with new session cookie:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=03BD8347F9E9511C299B717DD55625C9; Path=/; Secure
Content-Type: application/x-amf
Content-Length: 535
Date: Sun, 23 Feb 2014 10:17:01 GMT

Flex Message (flex.messaging.messages.ErrorMessage)     clientId = null    correlationId = 7B47BBF2-08C0-0E41-5D88-5E3F76FA4882    destination = auth    messageId = EA18F4A7-C80D-103B-F8D0-58B6F148F142    timestamp = 1393150621768    timeToLive = 0    body = null    code =  Server.Processing.DuplicateSessionDetected    message =  Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly.    details =  null    rootCause =  null    body =  null    extendedData =  null

And again - when used non-secure protocol everything ok - session cookie sevt to server in login operation as expected.

I have a little experience in Flex development and didn't find any method to set session cookie when triggered channel login request. Can you help to resolve this issue?

Thanks!

Answer 1

Gotcha!!

It's unbelievable, but the cause of DuplicateSessionDetected exception has been a Network Monitor tool of Flash Builder. After switching it off no any exception has been occurred. I think there issues when Monitor acting as proxy when used with secure protocol.

Answer 2

Surely, this question is already dead, but I have got something to say in this regard for future readers.

The Flash Player (including Flex) does not transmit the default JSESSIONID in the request and cannot do it until you have set SameSite=None in the JSESSIONID cookie.

I have faced the problem where the JSESSIONID cookie is dropped in the request and I have discovered that it is because modern browsers (chrome > 80) do not allow the Flash/Flex Player to access the JSESSIONID cookie it the cookie does not have SameSite=None and Secure flash.

Please, read the announcement from Adobe here More to read about the new cookie policy:

1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
2. https://medium.com/adobetech/adobe-experience-cloud-cookie-updates-for-google-chrome-19ad67cf1598
3. https://digiday.com/media/what-is-chrome-samesite/

Answer 3

Do not perform the client_ping operation and then try the secure channelSet. by pingin the server, you are creating another channelset(by default flash creates one for you) and then you are trying to open another channelset using .login operation. Try this by restarting you server,(fresh instance) or else you will be creating more sessions.