Webapp with underscore in it's name leads to failed session-cookies

[Markus Näher <ma...@slab.de>]

Hi,

I'm working on a JSF (myfaces) project that runs on Tomcat. First I thought it was a myfaces issue, 
but they told me that the container is responsible for the session cookie, so now I'm here :-)

I've created a minimal JSF test project and I called it jsf_test. When I open the tomcat manager (web) 
and the webapp's welcome page in the browser, I can see that every reload of the webapp page increases 
the session count.

In the web console of firefox, I could see that the session cookie was set with the path /jsf%5ftest, 
while other cookies (set by myfaces) were correctly set with the path /jsf_test.
It looks like firefox treats /jsf_test and /jsf%5ftest as different pathes and therefore does not send 
the session cookie with the next request, while chromium ignores the difference.

I also noticed that the issue does not occur on every deployment / tomcat restart. It looks like the 
webapp name is stored internally during initialization, and depending on little timing variations 
(race condition ?), it is either initialized to the escaped or the unescaped value. Tomcat manager 
always displays the unescaped name.

Among my teammates, some are always affected, some occasionally, and some never.

After renaming the webapp to "jsftest", the session count increments were gone.
The issue also occurs with a minus in the name, like "jsf-test".

Unfortunately, my real-world productive project has an underscore in it's name too, but as many users 
have bookmarked it, I can't just rename it.

Is this a bug in tomcat ?

Environment:
OS: Linux / Windows
Tomcat version: 8.0.36
JDK: Oracle JDK 1.8.0_92
Within the team, we're using different minor verions, but I've tested with the newest ones.

Regards,
Markus N�her

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Webapp with underscore in it's name leads to failed session-cookies

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 6/22/16 6:58 AM, Mark Thomas wrote:
> On 22/06/2016 11:29, Mark Thomas wrote:
>> On 22/06/2016 09:28, Markus N�her wrote:
> 
>>> In the web console of firefox, I could see that the session
>>> cookie was set with the path /jsf%5ftest, while other cookies
>>> (set by myfaces) were correctly set with the path /jsf_test. It
>>> looks like firefox treats /jsf_test and /jsf%5ftest as
>>> different pathes and therefore does not send the session cookie
>>> with the next request, while chromium ignores the difference.
>> 
>> I see a similar issue if I rename the examples web application
>> to "exa_mples". It shouldn't take me too long to figure out where
>> things are going wrong.
> 
> Tomcat is correctly setting the path for the session cookie as
> "/exa_mples"
> 
>> I'll keep that in mind once I figure out the root cause. It may
>> impact how we fix this.
> 
> The problem is that FireFox, by default, encodes all URIs and
> doesn't take account of the encoding when matching URIs to cookie
> paths. Failing to account for encoding looks like a FireFox bug to
> me.
> 
> A possible work-around is to disable the automatic encoding of URLs
> that FireFox provides by setting network.standard-url.encode-utf8
> to false under about:config.
> 
>>> Unfortunately, my real-world productive project has an
>>> underscore in it's name too, but as many users have bookmarked
>>> it, I can't just rename it.
>>> 
>>> Is this a bug in tomcat ?
>> 
>> At this point I'd say it is likely but until I dig into this to
>> figure out exactly what the root cause is, I can't be sure.
> 
> No, it is a FireFox bug. And a long standing one at that. 
> https://bugzilla.mozilla.org/show_bug.cgi?id=665851

Something doesn't smell right, here.

I've been using Mozilla Firefox and Tomcat together for ... ever and
my primary web application used for development is called
"cschultz-[product]" (note the hyphen). I have never ever had any
issues with that hyphen bring broken anywhere along the way. (I'm not
sure I've tried an underscore... I could try that). Here are my
relevant settings from about:config:

network.standard-url.encode-utf8;true
network.standard-url.escape-utf8;true

Does this only effect underscores?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXbVAvAAoJEBzwKT+lPKRYcC4QAJ9vK+NvkJCTDKfW80BaLZSO
j7jXWgbMf9rOTGfV7BSD+seBcId2ixJjOjod2yNJJ21d83BXbdPFGP96staRTt3v
8TOB/42WBIlfMt+CHvI/ltVBUsQ644so55qy6HrQcBO9yjVJiy3mzyJMTjAjLGZW
nGvnZm4enUGqPqiPgY26TRxOR9toNpH9mq4qHQdSM+vesLnB7t0C2pNt0v5Wj3Og
Nr6g8GIWN0czA8eClUp8I4PQP/ZCEs5o8lbkBo9MCmz7H0uijEIfI7R0uDE2ptWy
pZ8N7a4kv/8LHZdShGQJ/RSUDVTb3dbaI2rfpOfKmKEVmt3LSEgHNb6N+DB64KLW
qMXhiKqiSqi2UUOgOZvbBmfpcDFPEd7uYTnHzXjojeOsKxF5jtVxpgEGrWTcTY9t
F3BdVk5PuYUZTAI3fpOT5CuAHfZ8hThi7ouWiIjo9LlYBq8senEXteXwTvZnfJGc
rsOq7ADHQX1T7MQjrH7qqIfSeXb0ekaucRubp2uXH6WSZ7kbGmssUc5M/ZTEOcWu
NJr+XXHKyp7+8ubBgTWZLRVnl1ZrMLAQMklIEj3TbURYUlSQTKDLkwGHHDyFNZck
mamDfoiu/zSbOn6ocuoDBm0UXfK24FDbf/Ega7Y7V+ChFuKPLKdf8pUNPGkuqBmA
Q8lPLYh11HWvayvXTP50
=TobU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Webapp with underscore in it's name leads to failed session-cookies

[Mark Thomas <ma...@apache.org>]

On 22/06/2016 11:29, Mark Thomas wrote:
> On 22/06/2016 09:28, Markus N�her wrote:

>> In the web console of firefox, I could see that the session cookie was
>> set with the path /jsf%5ftest, while other cookies (set by myfaces) were
>> correctly set with the path /jsf_test.
>> It looks like firefox treats /jsf_test and /jsf%5ftest as different
>> pathes and therefore does not send the session cookie with the next
>> request, while chromium ignores the difference.
> 
> I see a similar issue if I rename the examples web application to
> "exa_mples". It shouldn't take me too long to figure out where things
> are going wrong.

Tomcat is correctly setting the path for the session cookie as "/exa_mples"

> I'll keep that in mind once I figure out the root cause. It may impact
> how we fix this.

The problem is that FireFox, by default, encodes all URIs and doesn't
take account of the encoding when matching URIs to cookie paths. Failing
to account for encoding looks like a FireFox bug to me.

A possible work-around is to disable the automatic encoding of URLs that
FireFox provides by setting network.standard-url.encode-utf8 to false
under about:config.

>> Unfortunately, my real-world productive project has an underscore in
>> it's name too, but as many users have bookmarked it, I can't just rename
>> it.
>>
>> Is this a bug in tomcat ?
> 
> At this point I'd say it is likely but until I dig into this to figure
> out exactly what the root cause is, I can't be sure.

No, it is a FireFox bug. And a long standing one at that.
https://bugzilla.mozilla.org/show_bug.cgi?id=665851

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Webapp with underscore in it's name leads to failed session-cookies

[Mark Thomas <ma...@apache.org>]

On 22/06/2016 09:28, Markus N�her wrote:
> Hi,
> 
> I'm working on a JSF (myfaces) project that runs on Tomcat. First I
> thought it was a myfaces issue, but they told me that the container is
> responsible for the session cookie, so now I'm here :-)

That is correct. To a point. There are some things the application can
do to control the session cookie so the problem may lie elsewhere but,
with the information provided to date, you look to be asking in the
right place.

> I've created a minimal JSF test project and I called it jsf_test. When I
> open the tomcat manager (web) and the webapp's welcome page in the
> browser, I can see that every reload of the webapp page increases the
> session count.

If you have a test case it is generally a good idea to put it somewhere
where the members of the mailing list can access it.

> In the web console of firefox, I could see that the session cookie was
> set with the path /jsf%5ftest, while other cookies (set by myfaces) were
> correctly set with the path /jsf_test.
> It looks like firefox treats /jsf_test and /jsf%5ftest as different
> pathes and therefore does not send the session cookie with the next
> request, while chromium ignores the difference.

I see a similar issue if I rename the examples web application to
"exa_mples". It shouldn't take me too long to figure out where things
are going wrong.

> I also noticed that the issue does not occur on every deployment /
> tomcat restart. It looks like the webapp name is stored internally
> during initialization, and depending on little timing variations (race
> condition ?), it is either initialized to the escaped or the unescaped
> value. Tomcat manager always displays the unescaped name.

That is very strange. Web application initialisation is single threaded
(per webapp) so a race condition is unlikely.

> Among my teammates, some are always affected, some occasionally, and
> some never.

That suggests something triggered by the environment. No idea what it
could be at this point though.

> After renaming the webapp to "jsftest", the session count increments
> were gone.
> The issue also occurs with a minus in the name, like "jsf-test".

I'll keep that in mind once I figure out the root cause. It may impact
how we fix this.

> Unfortunately, my real-world productive project has an underscore in
> it's name too, but as many users have bookmarked it, I can't just rename
> it.
> 
> Is this a bug in tomcat ?

At this point I'd say it is likely but until I dig into this to figure
out exactly what the root cause is, I can't be sure.

> Environment:
> OS: Linux / Windows
> Tomcat version: 8.0.36
> JDK: Oracle JDK 1.8.0_92
> Within the team, we're using different minor verions, but I've tested
> with the newest ones.

Thanks for providing the version info. Not everyone does and it can
often be very helpful.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org