You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Liam Morley <lm...@gdc.wpi.edu> on 2002/06/26 06:00:01 UTC
repost: troubles writing a filter to intercept session cookies
NOTE:
After posting to the Tomcat Users list, I've posted this in a few online
forums without getting a single response. Either nobody knows the
answer, or I'm wording this incorrectly.. but if nobody here knows the
answer, the only other thing I can think of is to post to tomcat-dev.
the original email is as follows:
I'd like to set the path for a JSESSIONID cookie belonging to one of the
webapps to "/" instead of "/my_webapp", as sessions are getting lost
when I have to rewrite the url with mod_rewrite. I had been told that I
can write a javax.servlet.Filter and a
javax.servlet.http.HttpServletResponseWrapper to do this. This is
working to some degree; a request comes in, and when the
response.addCookie() method is called, I can change the path. In
web.xml, I just have to add a <filter> element which contains the
location of my java class and make sure I map it to the correct servlet.
I have one problem: the code is not being called the first time the page
is requested. However, the JSESSIONID cookie is still getting added from
somewhere; I'm just not sure where. This is rather curious, to say the
least. What results is a cookie with a path of "/my_webapp" after the
first request, and a second cookie with a path of "/" after any other
request. Does anybody have any idea of why this is? I'm in desperate
need of help:) I'd really like to change the path of the cookie on the
FIRST request, not just each request thereafter.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: repost: troubles writing a filter to intercept session cookies
Posted by Liam Morley <lm...@gdc.wpi.edu>.
Craig,
thanks for the response. I hadn't thought about those points before. The
issue was that we wanted to rewrite the path using mod_rewrite so that a
certain webapp had the path "/". After doing this with mod_rewrite, we
noticed that the session cookie wasn't working anymore, due to the
cookie path being equal to the webapp. Someone had suggested either
moving the webapp into the ROOT directory or writing a filter. Due to
the issues you just mentioned, moving the webapp into ROOT is looking a
whole lot better.
Liam Morley
Craig R. McClanahan wrote:
>On Wed, 26 Jun 2002, Liam Morley wrote:
>
>
>
>>Date: Wed, 26 Jun 2002 00:00:01 -0400
>>From: Liam Morley <lm...@gdc.wpi.edu>
>>Reply-To: Tomcat Users List <to...@jakarta.apache.org>
>>To: Tomcat Users List <to...@jakarta.apache.org>
>>Subject: repost: troubles writing a filter to intercept session cookies
>>
>>NOTE:
>>After posting to the Tomcat Users list, I've posted this in a few online
>>forums without getting a single response. Either nobody knows the
>>answer, or I'm wording this incorrectly.. but if nobody here knows the
>>answer, the only other thing I can think of is to post to tomcat-dev.
>>
>>the original email is as follows:
>>
>>I'd like to set the path for a JSESSIONID cookie belonging to one of the
>>webapps to "/" instead of "/my_webapp", as sessions are getting lost
>>when I have to rewrite the url with mod_rewrite. I had been told that I
>>can write a javax.servlet.Filter and a
>>javax.servlet.http.HttpServletResponseWrapper to do this. This is
>>working to some degree; a request comes in, and when the
>>response.addCookie() method is called, I can change the path. In
>>web.xml, I just have to add a <filter> element which contains the
>>location of my java class and make sure I map it to the correct servlet.
>>
>>I have one problem: the code is not being called the first time the page
>>is requested. However, the JSESSIONID cookie is still getting added from
>>somewhere; I'm just not sure where. This is rather curious, to say the
>>least. What results is a cookie with a path of "/my_webapp" after the
>>first request, and a second cookie with a path of "/" after any other
>>request. Does anybody have any idea of why this is? I'm in desperate
>>need of help:) I'd really like to change the path of the cookie on the
>>FIRST request, not just each request thereafter.
>>
>>
>>
>
>Doing what you suggest is pretty much guaranteed to either break session
>support (because Tomcat relies on the assumption that the path being set
>matches the wbapp) or open your application to security problems because
>it exposes session ids from one webapp to other webapps. In short,
>mucking around with this is a really bad idea.
>
>I suggest you figure out what is wrong with your application design (or
>your mod_rewrite rules) that makes it not work with the way Tomcat, and
>every other servlet container, already support session id cookies.
>
>Craig
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: repost: troubles writing a filter to intercept session cookies
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 26 Jun 2002, Liam Morley wrote:
> Date: Wed, 26 Jun 2002 00:00:01 -0400
> From: Liam Morley <lm...@gdc.wpi.edu>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: repost: troubles writing a filter to intercept session cookies
>
> NOTE:
> After posting to the Tomcat Users list, I've posted this in a few online
> forums without getting a single response. Either nobody knows the
> answer, or I'm wording this incorrectly.. but if nobody here knows the
> answer, the only other thing I can think of is to post to tomcat-dev.
>
> the original email is as follows:
>
> I'd like to set the path for a JSESSIONID cookie belonging to one of the
> webapps to "/" instead of "/my_webapp", as sessions are getting lost
> when I have to rewrite the url with mod_rewrite. I had been told that I
> can write a javax.servlet.Filter and a
> javax.servlet.http.HttpServletResponseWrapper to do this. This is
> working to some degree; a request comes in, and when the
> response.addCookie() method is called, I can change the path. In
> web.xml, I just have to add a <filter> element which contains the
> location of my java class and make sure I map it to the correct servlet.
>
> I have one problem: the code is not being called the first time the page
> is requested. However, the JSESSIONID cookie is still getting added from
> somewhere; I'm just not sure where. This is rather curious, to say the
> least. What results is a cookie with a path of "/my_webapp" after the
> first request, and a second cookie with a path of "/" after any other
> request. Does anybody have any idea of why this is? I'm in desperate
> need of help:) I'd really like to change the path of the cookie on the
> FIRST request, not just each request thereafter.
>
Doing what you suggest is pretty much guaranteed to either break session
support (because Tomcat relies on the assumption that the path being set
matches the wbapp) or open your application to security problems because
it exposes session ids from one webapp to other webapps. In short,
mucking around with this is a really bad idea.
I suggest you figure out what is wrong with your application design (or
your mod_rewrite rules) that makes it not work with the way Tomcat, and
every other servlet container, already support session id cookies.
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>