tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Aumont <>
Subject Re: cookies not sent on redirects
Date Thu, 18 May 2000 18:57:54 GMT
Patrick Wibbeler posted the following message earlier this week.
Yes, it is a bug.  It was discussed here recently.  The subject was:
<subject>Re: No application cookies are getting sent to browser (Redirect
drops cookies)</subject>  The final message of the thread was written by
"Craig R. McClanahan []":

Fedor Karpelevitch wrote:

> I believe that's just correct behavior for redirect to clear any other
> header info (including cookies)
> WBR, Fedor.
> Today: Errare humanum est.

Actually, it turns out to *not* be correct behavior.  I got a clarification
from the spec lead for the Servlet Specification (Danny Coward), and the
correct behavior for sendError() and sendRedirect() is to flush any data
that the servlet has already buffered, but to leave the headers -- and
therefore the cookies -- alone.  The same rule applies to
RequestDispatcher.forward() and <jsp:forward> -- any headers and cookies
have been set before the transfer should remain.

I will be posting a bug fix for this in Tomcat 3.1 shortly.

Craig McClanahan

I worked around it by changing
org.apache.tomcat.core.HttpServletResponseFacade.sendError to look like:

public void sendError(int sc, String msg) throws IOException {
    // pat: Patched the else if case by adding && sc !=
HttpServletResponse.SC_MOVED_TEMPORARILY so we
    // we don't blow away cookies set before a redirect.
        if (isCommitted())
            throw new IllegalStateException(sm.getString("hsrf.error.ise"));
        else if (sc != HttpServletResponse.SC_UNAUTHORIZED && sc !=
HttpServletResponse.SC_MOVED_TEMPORARILY)       // CRM: FIXME
        setStatus( sc );
        Request request=response.getRequest();
        request.setAttribute("javax.servlet.error.message", msg);
        ContextManager cm=request.getContextManager();
        cm.handleError( request, response, null, sc );

I don't know what else this breaks, but it fixes the problem you describe

My impression is that a fix will be available, so this was intended as a
temporary fix for me.


Jay Sachs wrote:

> Just joined the list, and I didn't see anything about this in the
> archives.
> I'm running into a problem where user-added cookies are not being sent
> on a redirect. My reading of the cookie or HTTP RFCs doesn't show that
> this is the proper behavior. If I missed something, please point me to a
> reference.
> I'm using 3.1, but I checked last night's build & source, and the
> behavior is still there. Basically, sendRedirect() just forwards onto
> sendError(), which ends up calling reset() on the RequestImpl object
> which clears out the cookies.
> Before I cook up a patch, though, I'd like to be sure that this is (or
> could be considered) a bug.
> jay
> --------------------------------------------------------------------------
> To unsubscribe, email:
> For additional commmands, email:

View raw message