You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Emmanuel CASTRO <ca...@lirmm.fr> on 1999/02/25 11:08:19 UTC

mod_jserv/3966: Url Session ID scheme incompatible with HTML forms

>Number:         3966
>Category:       mod_jserv
>Synopsis:       Url Session ID scheme incompatible with HTML forms
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jserv
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Feb 25 02:10:00 PST 1999
>Last-Modified:
>Originator:     castro@lirmm.fr
>Organization:
apache
>Release:        1.3.4
>Environment:
Problem suposed to be operating system inpendent
JServ 1b03, Jdk 1.2, Solaris 2.5.1
>Description:
When cookies are off, JServ uses Url session to trace user sessions.
In such a situation, String encodeUrl(String url) add a query
parameter to the url.
e.g.: /example/SessionServlet -> /example/SessionServlet?JServSessionId=3fd5d...

Now, consider a servlet building HTML forms.
It must encodeUrl() the action field of the FORM tag:

The code: 
  out.println("<FORM action=\"+ response.encoreUrl("/example/SessionServlet")+"\">");
It produces: 
  <FORM action="/example/SessionServlet?JServSessionId=3fd5d...">

The problem is that all the web browser (NS4 and IE4) strip the
query part of the action url loosing all the session info.


>How-To-Repeat:
Take the JSDK2.0 SessionServlet source code.
Add this line in it:
out.println("<FORM action=\""+ res.encodeUrl("/example/SessionServlet") +
            "\"> <INPUT type=text name=alpha value=alpha></FORM>");

Note: you can change "/example/SessionServlet" to any convenient value for your 
JServ installation.

Compile and put the generated SessionServlet.class in your installation.

Don't forget to set your browser on "Do nood accept cookies"

Try the servlet form. You can see that the session counter 
is reset to 1 each time that you use the form.
>Fix:
The Session ID should not be passed in the query part of the url
Id should be encoded in the localPath (which should be decoded
before giving it to the Servlet)

Note: what to do it the localPath is null?

Example of URL session tracking can be found at:
http://www.sun.com/software/communitysource/java2
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]