Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 67292 invoked from network); 12 Jan 2003 03:19:20 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 12 Jan 2003 03:19:20 -0000 Received: (qmail 5586 invoked by uid 97); 12 Jan 2003 03:20:42 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 5569 invoked by uid 97); 12 Jan 2003 03:20:42 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 5555 invoked by uid 98); 12 Jan 2003 03:20:41 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Date: Sat, 11 Jan 2003 20:15:46 -0700 Mime-Version: 1.0 (Apple Message framework v551) Content-Type: text/plain; delsp=yes; charset=US-ASCII; format=flowed Subject: Possible bug w HTTP/HTTPS & encodeURL() - I'll show you the line number From: Chris Handorf To: tomcat-dev@jakarta.apache.org Content-Transfer-Encoding: 7bit Message-Id: <24AFCB54-25DC-11D7-B070-0030654BA1AC@cybertrails.com> X-Mailer: Apple Mail (2.551) X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N For the impatient ----------------------- I'm questioning the validity of line #522 of jakarta-tomcat-4.1.18-src/catalina/src/share/org/apache/catalina/ connector/HttpResponseBase.java please read on since I think I have done all of the work for you - I just need a question answered Background ------------------- I'm running Tomcat 4.1.18 My application creates a Session (i.e. Shopping Cart) on a web site. All shopping is done using HTTP, but when the user is ready to pay, we switch to HTTPS. Problem: ----------------- If the user's browser doesn't support cookies, the contents of the shopping cart are lost every time they click on an HTTPS link. My initial investigation: -------------------------------- I have code like the following in my application: response.encodeURL("http://www.uncalendar.com/shopping.jsp"); -- and -- response.encodeURL("https://www.uncalendar.com/payment.jsp"); Notice that one is HTTP and the other is HTTPS I verified that in the first case, the method added the ";jsessionid=38339839843989384398439843" but in the second case the jsessionid did NOT get added. Both of these are displayed on the same HTML page. This clearly explains why the shopping cart is lost. The question is, why did response.encodeURL() not encode my HTTPS URL. Both URLs reference www.uncalendar.com!!!! My investigation of the Tomcat Source --------------------------------------------------- I was surprised to find the following at line # 522 of jakarta-tomcat-4.1.18-src/catalina/src/share/org/apache/catalina/ connector/HttpResponseBase.java // Does this URL match down to (and including) the context path? if (!hreq.getScheme().equalsIgnoreCase(url.getProtocol())) return (false); This basically says "If the current request is HTTP and the url being encoded uses HTTPS, then the url cannot be encoded and the jsessionid will be lost if the user clicks on this link" At line 540, it is even more obvious: if (serverPort != urlPort) return (false); "If I'm using port 80 but the url links to port 443, then jsessionid is toast." My questions to the Tomcat masters ----------------------------------------------- 1) Is this a bug in Tomcat? 2) If not, how is one supposed to keep a Shopping Cart when switching between HTTP and HTTPS if the users browser doesn't support cookies? Closing comments ---------------------------- Thanks for any help! -- To unsubscribe, e-mail: For additional commands, e-mail: