OLD FORUM - Use new one: https://www.CaptainCasa.online/forum

Can we ignore this or should we investigate?
Can't really classify that...
Best regards
Daniel

[2023-03-29T10:40:11.264+0200] [Payara 5.2022.4] [WARNING] [] [javax.enterprise.web] [tid: _ThreadID=94 _ThreadName=http-thread-pool::http-listener- 1(10)] [timeMillis: 1680079211264] [levelValue: 900] [[
StandardWrapperValve[FacesServlet]: Servlet.service() for servlet FacesServlet threw exception
java.lang.Error: Client that sends the request is not the one that created the session. Request is cancelled: /x/faces/eclntjsfserver/includes/ccaround.jsp
at org.eclnt.jsfserver.util.SecurityFilterGeneral.performCheck_remoteAddress(SecurityFilterGeneral.java:206)
at org.eclnt.jsfserver.util.SecurityFilterGeneral.doFilter(SecurityFilterGeneral.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:253)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:211)
at org.eclnt.jsfserver.util.SecurityFilter.doFilter(SecurityFilter.java:162)

Hi Daniel,

CaptainCasa by default includes a servlet-filter "SecurityFilterGeneral" which assigens a unique id to each session which is also sent to the client via cookie. Every request from the client from now in is checked to include this unique id in the cookie information.

If the cookie is missing then this exception is thrown.

This filter can be switched on/off by system.xml configuration.

We recommend to definitely use this filter when using session-tracking mode "URL". The filter is not required for session-trackting mode "COOKIE".

PLease find more information in the Security Guide: https://www.captaincasa.com/docu/eclnt_risc_securityguide/all.html#sessionidhijacking

Kind regards! Björn