Java https client problem

[eranhor]

Hi all,

I have encountered a very frustrating problem which I cannot solve.
I am developing some kind of Java based https client that is supposed
to support only very specific sites. All of the sites work just fine
except one.

What I am trying to do is to login to that specific site but I
constantly get a login error. Using a browser (IE,Netscape and Firefox)
I can login perfectly.

Using an http sniffer I check out the headers of the requests and
responses and something very wierd is going on there.
Browser scenario:
1. The browser sends the login request with all parameters in place
2. Receive response (code 302) with a set-cookie parameter that has a
JSESSIONID
3. Another request is sent (based on the 302 response) but without the
JSESSIONID
4. Receive response (again, 302) with a ASPSESSIONID cookie
5. Send request with the ASPSESSIONID and login completed.
So far, all's well.

Now, when I try to login using my Java client this happenes:
1-3. As above
4. The response I get has a JSESSIONID.
5. Login error

I can't understand why using a regular browser I receive the
ASPSESSIONID cookie but when using a Java client I do not. I have also
tried a couple of Java based browsers (JBrowser and ClueEvl), and got
the same results as my Java client.

Is there a known problem between Java and ASP based sites using ASP
session handeling?

Another thing I noticed is, that via a browser I get in the header:
Server: Microsoft-IIS/6.0
Server: unknown web server type

but when using my client I only get:
Server: unknown web server type

How come I do not get the IIS server indication?

Anyway, I am baffled with this problem (this is my 10th hour straight
trying to solve it) and very much hope someone out there has some
useful input.

Thanks all in advance,
Eran

BTW, for security reasons I cannot post the specific site

 

[Robert Klemme]

Hi all,

I have encountered a very frustrating problem which I cannot solve.
I am developing some kind of Java based https client that is supposed
to support only very specific sites. All of the sites work just fine
except one.

What I am trying to do is to login to that specific site but I
constantly get a login error. Using a browser (IE,Netscape and
Firefox) I can login perfectly.

Since you're doing HTTP and thus SSL did you consider that the problem
might be related to certificates?

robert

 

[eranhor]

Hi Robert,
I have added the relevant certificates to my truststore and even did a
sanity check (by trying my flow without a certificate, which I get an
"Unknown Certificate" exception), so that issue I have ruled out.

 

[Roedy Green]

I can't understand why using a regular browser I receive the
ASPSESSIONID cookie but when using a Java client I do not.

For http, you would use a sniffer to see the difference. I don't know
if there is an equivalent for HTTPS.

see http://mindprod.com/jgloss/sniffer.html

 

[Roedy Green]

I have added the relevant certificates to my truststore and even did a
sanity check (by trying my flow without a certificate, which I get an
"Unknown Certificate" exception), so that issue I have ruled out.

Is there a way to do a similar transaction with http instead and
notice the difference in the header. It might be a simple as which
browser you identify as.

 

[Rogan Dawes]

Hi all,

I have encountered a very frustrating problem which I cannot solve.
I am developing some kind of Java based https client that is supposed
to support only very specific sites. All of the sites work just fine
except one.

What I am trying to do is to login to that specific site but I
constantly get a login error. Using a browser (IE,Netscape and Firefox)
I can login perfectly.

Using an http sniffer I check out the headers of the requests and
responses and something very wierd is going on there.
Browser scenario:
1. The browser sends the login request with all parameters in place
2. Receive response (code 302) with a set-cookie parameter that has a
JSESSIONID
3. Another request is sent (based on the 302 response) but without the
JSESSIONID
4. Receive response (again, 302) with a ASPSESSIONID cookie
5. Send request with the ASPSESSIONID and login completed.
So far, all's well.

Now, when I try to login using my Java client this happenes:
1-3. As above
4. The response I get has a JSESSIONID.
5. Login error

I can't understand why using a regular browser I receive the
ASPSESSIONID cookie but when using a Java client I do not. I have also
tried a couple of Java based browsers (JBrowser and ClueEvl), and got
the same results as my Java client.

Is there a known problem between Java and ASP based sites using ASP
session handeling?

Another thing I noticed is, that via a browser I get in the header:
Server: Microsoft-IIS/6.0
Server: unknown web server type

but when using my client I only get:
Server: unknown web server type

How come I do not get the IIS server indication?

Anyway, I am baffled with this problem (this is my 10th hour straight
trying to solve it) and very much hope someone out there has some
useful input.

Thanks all in advance,
Eran

BTW, for security reasons I cannot post the specific site

Try running your two tests through a program such as WebScarab
(http://www.owasp.org/software/webscarab.html), or Achilles and
comparing the complete request and response that you get for each
user-agent.

That might give you some clues.

As Roedy suggested, something as simple as a User-Agent string might be
enough to cause the problem.

Rogan

 

[Pete]

Hi all,

I have encountered a very frustrating problem which I cannot solve.
I am developing some kind of Java based https client that is supposed
to support only very specific sites. All of the sites work just fine
except one.

What I am trying to do is to login to that specific site but I
constantly get a login error. Using a browser (IE,Netscape and Firefox)
I can login perfectly.

Try adding -Djavax.net.debug=ssl,handshake,data,trustmanager to get
additional information on where things are going wrong.

Pete