tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Daniele.Ulr...@swisscom.com>
Subject priority of session cookie and url rewriting
Date Sun, 20 Jan 2008 12:52:56 GMT
We have two web applications: one (A) is using session cookies the other
(B) is using url rewriting. The first access to the B is always done via
A (request by HttpClient). 
For an upload form the architects (unfortunately?) switched from this
approach to a direct call to B. In this case we have a session cookie
from A AND a rewritten URL (form action).
In org.apache.catalina.connector.CoyoteAdapter  I found the following
code:

   protected void parseSessionCookiesId(org.apache.coyote.Request req,
Request request) {

        // Parse session id from cookies
        Cookies serverCookies = req.getCookies();
        int count = serverCookies.getCookieCount();
        if (count <= 0)
            return;

        for (int i = 0; i < count; i++) {
            ServerCookie scookie = serverCookies.getCookie(i);
            if (scookie.getName().equals(Globals.SESSION_COOKIE_NAME)) {
                // Override anything requested in the URL
                if (!request.isRequestedSessionIdFromCookie()) {
                    // Accept only the first session id cookie
                    convertMB(scookie.getValue());
                    request.setRequestedSessionId
                        (scookie.getValue().toString());
                    request.setRequestedSessionCookie(true);
                    request.setRequestedSessionURL(false);
                    if (log.isDebugEnabled())
                        log.debug(" Requested cookie session id is " +
                            request.getRequestedSessionId());
                } else {
                    if (!request.isRequestedSessionIdValid()) {
                        // Replace the session id until one is valid
                        convertMB(scookie.getValue());
                        request.setRequestedSessionId
                            (scookie.getValue().toString());
                    }
                }
            }
        }

This codes leads to a higher priority of session cookies regardless of
the settings in jboss-web.xml or context.xml.

I had to patch this class in order to enable the correct behaviour:

                // Patch: if JSESSIONID AND URL rewriting, decide
according to the context.xml settings
                if (request.getContext().getCookies() &&
!request.isRequestedSessionIdFromCookie()) {

This allows to disable completely session cookies putting a context.xml
in the /WEB-INF of the war file (we use jboss):

<Context path="/medialbum" cookies="false" override="true" />

Is there another solution to this problem?

Cheers

Daniele



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message