tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: JSESSIONID Stripping
Date Fri, 07 Oct 2011 11:10:38 GMT
2011/10/7 Paul Wilson <>:
> Hi there,
> Simple question. If a client posts:
> POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1
> whilst also specifying:
> Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64;
> $Path=/app/
> isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing
> 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the
> app still sees the jsessionid which is messing up resource resolution. I
> guess I could strip the jsessionid path param but.... doesn't seem right.
> (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to
> remove the jsessionid before the request?

1) "%3b" does not delimit path parameters. You need to literally write
it as ";" for it to be a delimiter.

2) There are two methods in Servlet API should return the path exactly
as it was requested, preserving path parameters in it. There was some
discussion about that recently.

3) If I remember correctly, if cookie is present the jsessionid in URL
is ignored.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message