tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Problem with url session encoding - Tomcat 4.0.4 b2
Date Tue, 30 Apr 2002 15:41:40 GMT

On Tue, 30 Apr 2002, Arshad Mahmood wrote:

> Date: Tue, 30 Apr 2002 11:12:48 +0100
> From: Arshad Mahmood <>
> Reply-To: Tomcat Developers List <>
> To: Tomcat Developers List <>
> Subject: Problem with url session encoding - Tomcat 4.0.4 b2
> Hi,
> I am writing an e-commerce application using tomcat and have come across a
> minor issue with url session encoding. The problem is that if a valid
> session id is available on the url then tomcat does not use cookies.
> Here is my scenario :-
> 1. I have tomcat configured to use cookies for session id's if possible.
> 2. An access to the index.html of my site redirects via url encoding to
> home/index.html. This causes the session to be sent both via the url and a
> cookie, from here on tomcat knows it can use cookies and doesn't bother
> adding the session id to the url when I use encodeURL.

This is not quite right.  Tomcat doesn't know it can use cookies until the
browser makes the second request *with* a cookie.

> 3. If I close the browser and open a new browser and use the url history box
> then the url that appears is home/index.html with the added url encoding
> (because I redirected from the original index.html).

As you've probably gathered, closing the browser kills your session
cookies, which effectively logs you off of your sessions.  This is a "Good
Thing" (tm) -- otherwise, what happens if someone else happens to come
along and uses your PC, instead of you?  Presto, they would be
authenticated with your ID and could do all sorts of mischief.

> 4. Because this url has a valid session id, tomcat now defaults to using the
> url endoing method and doesn't even try to use a cookie for this browser
> session.

If the cookie had come back in again, it would have turned off URL
rewriting again.

> My problem is that I want tomcat to always try and use a cookie even when
> using url encoding (unless it is already using a cookie). I realise it is a
> pain for those users that have setup prompts before accepting cookies, but
> in my case I would prefer an inconvenience to a small number of users and
> not the vast variety of users seeing the session id on all their url's.
> My own prefernce would be to overload the cookies parameter so that a value
> of "force" would cause this behaviour and leave the existing semantics for
> the already defined values.

Sounds like a good opportunity to make your own custom version of the
Tomcat code that does this ... and, oh by the way, lock yourself now and
forever more into using your patched version of Tomcat, because no other
container implements the approach you suggest.  Also, you're likely to
cause anyone doing a security audit of your application some serious

> Regards,
> Arshad


> --
> To unsubscribe, e-mail:   <>
> For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message