tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Force URL encoding
Date Mon, 10 Sep 2007 20:43:38 GMT
Hash: SHA1


Michael Dehmlow wrote:
> '<%=response.encodeURL("test/") %>' 

This should work.

> '<%="test;jsessionid="+request.getSession().getId() %>'

Don't do this; find out what the problem is and fix that. I realize this
is only a test, but it's good to debug it before you replicate a hack

> <?xml version="1.0" encoding="UTF-8" ?>
> <Context cookies="false"></Context>
> While the session is not stored in a cookie

Have you verified that no cookie exchange is occurring? If you have a
cookie left over from a previous run-through, Tomcat might be using that
for session identification and therefore leaving the ";jsessionid=..."
off of encoded URLs. I wouldn't be surprised if the TC code is very
tolerant of this kind of abuse, rather than simply saying "okay, cookies
are disabled; we'll completely ignore them".

> it appears that tomcat is not
> finding the session i specify. which I think has something to do with the
> fact that encodeURL does not work.

If your session does not exist, then encodeURL isn't going to change
anything. Make sure that the session exists; I'm guessing that the JSP
page directive session="true" ensures that?

Try purging your cookies for the test site and see if that fixes anything.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message