tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: JSESSIONID Stripping
Date Fri, 07 Oct 2011 11:10:38 GMT
2011/10/7 Paul Wilson <paulalexwilson@gmail.com>:
> Hi there,
>
> Simple question. If a client posts:
>
> POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1
>
> whilst also specifying:
>
> Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64;
> $Path=/app/
>
> isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing
> 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the
> app still sees the jsessionid which is messing up resource resolution. I
> guess I could strip the jsessionid path param but.... doesn't seem right.
> (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to
> remove the jsessionid before the request?

1) "%3b" does not delimit path parameters. You need to literally write
it as ";" for it to be a delimiter.

2) There are two methods in Servlet API should return the path exactly
as it was requested, preserving path parameters in it. There was some
discussion about that recently.


3) If I remember correctly, if cookie is present the jsessionid in URL
is ignored.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message