tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49811] New: PATCH Custom attribute to not encode sessions in URL
Date Mon, 23 Aug 2010 18:26:35 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49811

           Summary: PATCH Custom attribute to not encode sessions in URL
           Product: Tomcat 6
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: wesley.acheson@gmail.com


Created an attachment (id=25930)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25930)
Attachment adds a custom attribute to the context interface to disable url
encoding/parsing of sessions.

Encoding sessions in URLS is generally thought of as bad practice. Information
on sessions can be passed out to third parties by the Referrer http header.  

It can also be problematic if a user of the application attempts to send out a
link to their friends unwittingly passing their session information.

The original need for this patch was raised in
http://marc.info/?t=128208259900001&r=1&w=2 on the users mailing list.

The attached patch allows users to enter an attribute on the Context to disable
session url encoding and parsing, the attribute is allowURLSessions.  

I attempted to change the documentation too but couldn't create a patch file
from it, I think its in svn.ignore.


I've tested locally by disabling session cookies for localhost and ensuring
sessions were lost when the attribute was set to false.

I've checked the URL's to ensure jsessionid doesn't appear in them.

I've also checked that sessions where retained when this attribute was set to
true or absent.

Finally I've tested when the attribute is set to false and cookies are enabled
to ensure sessions work in this senario.

**NOTE** If this is set to false and cookies are denied no session information
is retained.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message