Re: 3.2 beta status update

[Torsten Glunde <tg...@pcf-software.de>]

Hello Anders,

I have already shared this code in the mailing lists of tomcat. But what do you
mean with all the time.
This Interceptor works without cookies, but not with a client disabling the
cookies within a session.

But indeed you have just to ensure, that with and without the cookies there is
the sessionid in the URL. For this you have to change the code for encodeURL in
HttpServletResponseFacade() to put it always at the end of the url.

Hope this helps,

Torsten Glunde


Anders Janmyr schrieb:

> Hello Torsten,
>
> Am I correct to understand that you have a working Interceptor that allows
> you to use URL rewrite with sessions all the time.
>
> If so are you willing to share the code? I am very interested in this
> functionality and since it does not work correctly in Tomcat at the moment I
> would appreciate it.
>
> Regards
> Anders Janmyr
>
> -----Original Message-----
> From: Torsten Glunde [mailto:tglunde@pcf-software.de]
> Sent: den 3 juli 2000 01:12
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: 3.2 beta status update
>
> Hi,
> >1) URL rewriting seems to be broken again,
>
> For this question I wrote the following some times ago, but without any
> answers, perhaps it would help.
>
> I have two points you may want to consider within Tomcat 3.2 release.
>
> To have Session Tracking work without cookies I went into two problems
> with the
> source download from 6th June 2000.
>
> 1. Request Interceptor.
> In the RequestInterceptor I found the code to get the sessionid from a
> cookie.
> But nowhere it would be read from url. I wrote my own Interceptor,
> which looks it up from url if the cookie fails. Is this implemented
> somewhere else, or do I need it? In our configuration Session tracking
> won't work
> without my own Interceptor.
>
> 2. encodeURL/encoderedirectURL
> in the HttpServletResponseFacade class in the isEncodeable member on our
> internal
> testing web server the url.getPort() method returns the port as not
> available. So
> I added url.getPort()!=-1 to avoid the encodeURL method failing when the
>
> serverport is not available from the url.May this give security leak?
>
> Torsten Glunde
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: 3.2 beta status update

[Hans Bergsten <ha...@gefionsoftware.com>]

Torsten Glunde wrote:
> Anders Janmyr schrieb:
> 
> > Hello Torsten,
> >
> > Am I correct to understand that you have a working Interceptor that allows
> > you to use URL rewrite with sessions all the time.
> >
> > If so are you willing to share the code? I am very interested in this
> > functionality and since it does not work correctly in Tomcat at the moment I
> > would appreciate it.
> >
> > Regards
> > Anders Janmyr

> I have already shared this code in the mailing lists of tomcat. But what do you
> mean with all the time.
> This Interceptor works without cookies, but not with a client disabling the
> cookies within a session. [...]

Actually, the bug was a bit more destructive than that. As soon as a request
with a session ID from a cookie was processed, a request from any client (not
just requests within the same session) handled by the same Request instance
could not use URL rewriting.

Anyway, URL rewriting should work in the latest nightly build. I committed a
patch (incl. some of Torsten's code) for this Sunday night/early Monday morning.

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com