tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Handorf <>
Subject Possible bug w HTTP/HTTPS & encodeURL() - I'll show you the line number
Date Sun, 12 Jan 2003 03:15:46 GMT
For the impatient
I'm questioning the validity of line #522 of

please read on since I think I have done all of the work for you - I  
just need a question answered

I'm running Tomcat 4.1.18

My application creates a Session (i.e. Shopping Cart) on a web site.
All shopping is done using HTTP, but when the user is ready to pay, we  
switch to HTTPS.

If the user's browser doesn't support cookies, the contents of the  
shopping cart are lost
every time they click on an HTTPS link.

My initial investigation:
I have code like the following in my application:


    -- and --


Notice that one is HTTP and the other is HTTPS

I verified that in the first case, the method added the  
but in the second case the jsessionid did NOT get added.

Both of these are displayed on the same HTML page.

This clearly explains why the shopping cart is lost.  The question is,  
why did response.encodeURL()
not encode my HTTPS URL.  Both URLs reference!!!!

My investigation of the Tomcat Source
I was surprised to find the following at line # 522 of

         // Does this URL match down to (and including) the context path?
         if (!hreq.getScheme().equalsIgnoreCase(url.getProtocol()))
             return (false);

This basically says "If the current request is HTTP and the url being  
encoded uses HTTPS,
then the url cannot be encoded and the jsessionid will be lost if the  
user clicks on this link"

At line 540, it is even more obvious:

         if (serverPort != urlPort)
             return (false);

"If I'm using port 80 but the url links to port 443, then jsessionid is  

My questions to the Tomcat masters
1) Is this a bug in Tomcat?
2) If not, how is one supposed to keep a Shopping Cart when switching  
     HTTP and HTTPS if the users browser doesn't support cookies?

Closing comments
Thanks for any help!

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message