tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Wilson <paulalexwil...@gmail.com>
Subject Re: JSESSIONID Stripping
Date Fri, 07 Oct 2011 13:05:46 GMT
On 7 October 2011 12:10, Konstantin Kolinko <knst.kolinko@gmail.com> wrote:

> 2011/10/7 Paul Wilson <paulalexwilson@gmail.com>:
> > Hi there,
> >
> > Simple question. If a client posts:
> >
> > POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1
> >
> > whilst also specifying:
> >
> > Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64;
> > $Path=/app/
> >
> > isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing
> > 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but
> the
> > app still sees the jsessionid which is messing up resource resolution. I
> > guess I could strip the jsessionid path param but.... doesn't seem right.
> > (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to
> > remove the jsessionid before the request?
>
> 1) "%3b" does not delimit path parameters. You need to literally write
> it as ";" for it to be a delimiter.
>

Maybe this is the cause of all my problems; the POST path is being URL
encoded by the client. :-/

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message