SessionID renewed at each exchange starting with firmware 8.5 (and above)

Version 1
    This document was generated from CDN thread

    Created by: Benoit Coux on 18-05-2010 07:02:47 AM
    Hi,
     
    While testing our XML service on phone with 9.x firmwares, we discovered that
    it's not working anymore.
    Our analysis revealed that the
    problem appears with firmware 8.5 and
    above.
    What we noticed server-side is that the client SessionID changes each
    time a new page is called from the phone, which causes the loss of the
    session informations used in
    our service.
     
    See below the exchanges before and now with the new firmwares:
    -         
    Firmware 8.4 see lines 2 and 4 in file  Firmware
    8.4.2S same sessionID

    -         
    Firmware 9.0 see lines 9 and 25 in file Firmware
    9.0.2.1.SR different sessionID

     
    Did anyone had the same issue ?
    Is this the new behavior for the phones ?
     
    Regards
    Benoit

    Subject: RE: SessionID renewed at each exchange starting with firmware 8.5 (and abov
    Replied by: David Staudt on 18-05-2010 02:54:33 PM
    What models of phones have you tested?

    Subject: RE: SessionID renewed at each exchange starting with firmware 8.5 (and abov
    Replied by: Benoit Coux on 18-05-2010 03:33:24 PM
    We did test with the following models: 7940, 7975, 6941 and 8961.
     
    Regards
    Benoit

    Subject: RE: SessionID renewed at each exchange starting with firmware 8.5 (and abov
    Replied by: David Staudt on 18-05-2010 04:52:16 PM
    Later phone firmware versions have received an updated HTTP implementation, which is generally more strict/observant than previous handlers.
     
    In this case it appears HTTP 1.0 rules indicates user-agents should not send cookies in 3xx redirection requests:
     
    http://www.w3.org/Protocols/rfc2109/rfc2109 in section "4.3.5 Sending Cookies in Unverifiable Transactions":
    <pre>"A transaction is
       verifiable if the user has the option to review the request-URI prior
       to its use in the transaction.  A transaction is unverifiable if the
       user does not have that option.  Unverifiable transactions typically
       arise when a user agent automatically requests inlined or embedded
       entities or when it resolves redirection (3xx) responses from an
       origin server."</pre>
     
    While a behaviour change from previous firmware versions, it appears the change is towards RFC compliance - i.e. fixing a privacy defect.
     
    A workaround could be to include a URL parameter (could be the cookie value) to identify the session.
     

    Subject: RE: SessionID renewed at each exchange starting with firmware 8.5 (and abov
    Replied by: Benoit Coux on 26-05-2010 12:26:37 PM
    We performed further testing.
    In fact, in our application we were having a change of SessionID because
    of a Response.Redirect(url) action.

    After changing this behavior of our application, the application is now
    working fine.

     
    Benoit.