tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38759] - path of JSESSIONID cookie (and possibly others) is passed through incorrectly
Date Thu, 23 Feb 2006 15:43:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38759>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38759





------- Additional Comments From brian.bonner@paraware.com  2006-02-23 16:43 -------
Filip, I hadn't seen the apache week article you mentioned, however I will
review it.  Thank you.

What's perplexing about this problem as an Apache Server running PHP behind a
reverse proxy doesn't have this problem.  In fact I have an example where the
path *is* properly set.  Maybe it's just because the Reverse proxy code works
when the server behind the proxy is Apache :).  

However, they don't all set the path to "/".  As an example.  I have an instance
of running on Apache behind a proxy and SugarCRM sets ck_login_id_20,
ck_login_theme_20, and ck_login_language_20 with the path set to the value as
seen by the browser, not the path seen by the proxy.

Thanks for the clarification.

Brian

(In reply to comment #4)
> I agree with Bill, Apache should change the cookie path for you.
> My guess is that it works with other servers cause they set the path to "/" and
> make their sessions global to the domain, not the webapp.
> 
> Take a look at these directives
> ProxyPassReverseCookiePath
> ProxyPassReverseCookieDomain
> 
> featured in the following article
> http://www.apacheweek.com/features/reverseproxies
> 
> If that is not an option, I would suggest modifying the class
> org.apache.catalina.connector.Request.java the following method
> 
>     protected void configureSessionCookie(Cookie cookie) {
>         cookie.setMaxAge(-1);
>         String contextPath = null;
>         if (!connector.getEmptySessionPath() && (getContext() != null)) {
>             contextPath = getContext().getEncodedPath();
>         }
>         if ((contextPath != null) && (contextPath.length() > 0)) {
>             cookie.setPath(contextPath);
>         } else {
>             cookie.setPath("/");
>         }
>         if (isSecure()) {
>             cookie.setSecure(true);
>         }
>     }
> 
> You can make an enhancement request to tomcat to allow for a configuration to
> always set "/" as the session cookie path.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message