tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 33806] - Session tracking using URL rewriting fails, if client URL-encodes reserved characters ; and =
Date Fri, 16 Dec 2005 20:47:30 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33806>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33806


gawix@yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




------- Additional Comments From gawix@yahoo.com  2005-12-16 21:47 -------
I've verified with 5.0.28 and Tomcat DOES unescape %3b (;) and %3d (=) before
extracting ;jsessionid= 

I don't understand what was tested by the person who opened this bug.  Maybe the
problem was with the %D in the example... It should be %3D, so I believe his
test was incorrect.

It's very simple to test using the session example (assume session
1A1D98B86F2E813CC27BDCC214C73285 is already created):

$telnet localhost 8080
GET
/servlets-examples/servlet/SessionExample%3Bjsessionid%3D1A1D98B86F2E813CC27BDCC214C73285
HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1285
Date: Fri, 16 Dec 2005 20:18:20 GMT
Server: Apache-Coyote/1.1

<html>
<body bgcolor="white">
<head>
<title>Sessions Example</title>
</head>
<body>
<a href="../sessions.html">
<img src="../images/code.gif" height=24 width=24 align=right border=0 alt="view
code"></a>
<a href="../index.html">
<img src="../images/return.gif" height=24 width=24 align=right border=0
alt="return"></a>
<h3>Sessions Example</h3>
Session ID: 1A1D98B86F2E813CC27BDCC214C73285
<br>
Created:
Fri Dec 16 15:13:30 EST 2005<br>
Last Accessed:
Fri Dec 16 15:13:52 EST 2005
<P>
The following data is in your session:<br>
foo = bar<br>
<P>
<form action="SessionExample;jsessionid=1A1D98B86F2E813CC27BDCC214C73285"
method=POST>
Name of Session Attribute:
<input type=text size=20 name=dataname>
<br>
Value of Session Attribute:
<input type=text size=20 name=datavalue>
<br>
<input type=submit>
</form>
<P>GET based form:<br>
<form action="SessionExample;jsessionid=1A1D98B86F2E813CC27BDCC214C73285"
method=GET>
Name of Session Attribute:
<input type=text size=20 name=dataname>
<br>
Value of Session Attribute:
<input type=text size=20 name=datavalue>
<br>
<input type=submit>
</form>
<p><a
href="SessionExample;jsessionid=1A1D98B86F2E813CC27BDCC214C73285?dataname=foo&datavalue=bar"
>URL encoded </a>
</body>
</html>
</body>
</html>

I totally agree with Remy analysis regarding preserving reserved characters in
the URI (http://www.ietf.org/rfc/rfc2396.txt).  I'm reopening the bug because I
believe that tomcat should have failed retrieving session when URI is encoded as
above.  Considering Tomcat is a reference implementation, I would have expected
a strict behaviour.  Weblogic 8.1 and WebSphere Application Server 5.1.1.7 do
not unescape the path portion and path parameters of the URI.

It is wrong for a HTTP User agent to encode reserved characters in a URI placed
in a document (i.e. HTML, VoiceXML, etc.).  Believe it or not, I'm using a
VoiceXML platform embedding two different HTTP user agents that have this
problem.  argh!

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message