You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Greg Huber <gr...@gmail.com> on 2018/04/26 08:53:14 UTC
Tomcat 9 ;jsessionid
Hello,
One thing I have noticed with Tomcat 9.0.x I get alot ;jsessionid=xxx
appended to my urls. This did not happen with 8.5.x.
/images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
500 Internal Server Error
/images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s)
/images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s)
From previous experience this happens when there is no session. I use
struts and have used encode="false" on the tags to prevent this:
<s:url value="/" encode="false" />
Also I have used (in the past) <%@ page session="false" %> but have
commented this out as it causes down stream problems for me.
Would there be a reason why these has now started happening on 9?
Cheers Greg
Re: Tomcat 9 ;jsessionid
Posted by Greg Huber <gr...@gmail.com>.
It was not the ;jsessionidxx, but changes to Spring StrictHttpFirewall, the
default config now does not allow some characters in the url :
- Rejects URLs that are not normalized to avoid bypassing security
constraints...
- Rejects URLs that contain characters that are not printable ASCII
characters.
- Rejects URLs that contain semicolons.
<https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowSemicolon-boolean->
- Rejects URLs that contain a URL encoded slash.
<https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowUrlEncodedSlash-boolean->
- Rejects URLs that contain a backslash.
<https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowBackSlash-boolean->
- Rejects URLs that contain a URL encoded percent.
<https://docs.spring.io/autorepo/docs/spring-security/4.2.x/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html#setAllowUrlEncodedPercent-boolean->
26-Apr-2018 15:16:43.356 SEVERE [ajp-nio-8009-exec-2]
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for
servlet [default] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The
request was rejected because the URL contained a potentially malicious
String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall
.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
at org.springframework.security.web.firewall.StrictHttpFirewall
.getFirewalledRequest(StrictHttpFirewall.java:245)
Had to go with defaulting to <tracking-mode>COOKIE</tracking-mode> as
suggested, rather than overriding Spring defaults.
Cheers Greg
On 27 April 2018 at 13:23, Berneburg, Cris J. - US <cb...@caci.com>
wrote:
> Hi Greg
>
> -----Original Message-----
> From: Greg Huber [mailto:gregh3269@gmail.com]
> Sent: Thursday, April 26, 2018 4:53 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Tomcat 9 ;jsessionid
>
> > Hello,
> >
> > One thing I have noticed with Tomcat 9.0.x I get alot
> > ;jsessionid=xxx appended to my urls. This did not happen with 8.5.x.
> >
> > /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
> >
> > 500 Internal Server Error
> > /images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s)
> > /images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s)
> >
> > From previous experience this happens when there is no session.
> > I use struts and have used encode="false" on the tags to prevent this:
> >
> > <s:url value="/" encode="false" />
> >
> > Also I have used (in the past) <%@ page session="false" %> but have
> > commented this out as it causes down stream problems for me.
> >
> > Would there be a reason why these has now started happening on 9?
> >
> > Cheers Greg
>
> A while ago we had problems in TC6 with new sessions being created for
> each image. The issue was that there was an invalid character, underscore
> "_", in the URL. I can't remember if Internet Explorer was acting
> weird(er) or if that was expected TC behavior for an invalid URL.
>
> Also, Chris Shultz mentioned that jsessionid appended to the URL can mean
> that cookies are not being used.
>
> Might your problem be more than one issue combined?
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Tomcat 9 ;jsessionid
Posted by "Berneburg, Cris J. - US" <cb...@caci.com>.
Hi Greg
-----Original Message-----
From: Greg Huber [mailto:gregh3269@gmail.com]
Sent: Thursday, April 26, 2018 4:53 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Tomcat 9 ;jsessionid
> Hello,
>
> One thing I have noticed with Tomcat 9.0.x I get alot
> ;jsessionid=xxx appended to my urls. This did not happen with 8.5.x.
>
> /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
>
> 500 Internal Server Error
> /images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s)
> /images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s)
>
> From previous experience this happens when there is no session.
> I use struts and have used encode="false" on the tags to prevent this:
>
> <s:url value="/" encode="false" />
>
> Also I have used (in the past) <%@ page session="false" %> but have
> commented this out as it causes down stream problems for me.
>
> Would there be a reason why these has now started happening on 9?
>
> Cheers Greg
A while ago we had problems in TC6 with new sessions being created for each image. The issue was that there was an invalid character, underscore "_", in the URL. I can't remember if Internet Explorer was acting weird(er) or if that was expected TC behavior for an invalid URL.
Also, Chris Shultz mentioned that jsessionid appended to the URL can mean that cookies are not being used.
Might your problem be more than one issue combined?
--
Cris Berneburg
CACI Lead Software Engineer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 ;jsessionid
Posted by Greg Huber <gr...@gmail.com>.
Chris,
>As for your image URLs failing due to those path parameters... why are
>they failing? Which component is generating those HTTP 500 responses?
I did some more investigation and my app would not display the image with
the ;
http://www.myapp.co.uk/images/image_32x32.png;jsessionid=52FC7E289A9BDAB18ABBBE7D1C5CC85A
26-Apr-2018 15:16:43.356 SEVERE [ajp-nio-8009-exec-2]
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for
servlet [default] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The
request was rejected because the URL contained a potentially malicious
String ";"
at
org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
at
org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
Something in spring security blocking the ; in the URL.
I will go back to 8.5.x to see if I still get the ;jsession on the URL's,
my thinking is probably always did have the jsessionid but they were not
blocked by spring security.
Cheers Greg
On 26 April 2018 at 14:11, Christopher Schultz <chris@christopherschultz.net
> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Greg,
>
> On 4/26/18 4:53 AM, Greg Huber wrote:
> > Hello,
> >
> > One thing I have noticed with Tomcat 9.0.x I get alot
> > ;jsessionid=xxx appended to my urls. This did not happen with
> > 8.5.x.
> >
> > /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
> >
> > 500 Internal Server Error /images/image_32x32.png;jsessionid= ...
> > 23784378307846F: 1 Time(s) /images/image_32x32.png;jsessionid= ...
> > 85D9B02C5A030FF: 1 Time(s)
> >
> >
> >> From previous experience this happens when there is no session.
> >> I use
> > struts and have used encode="false" on the tags to prevent this:
> >
> > <s:url value="/" encode="false" />
> >
> > Also I have used (in the past) <%@ page session="false" %> but
> > have commented this out as it causes down stream problems for me.
> >
> > Would there be a reason why these has now started happening on 9?
>
> I'm not sure about why Tomcat 9 specifically might be doing this if
> Tomcat <9 didn't, but this happens when:
>
> 1. An unauthenticated user makes a request
> 2. There was no session-id in the request
> 3. The server decided to create a session
> 4. The server can't prove that cookies are supported by the client
>
> When all those things happen, all URLs (when "encoded") should contain
> ";jsessionid=" path parameters because the client might not accept the
> Set-Cookie response header.
>
> You can explicitly disable URL-based session-tracking if you'd like in
> WEB-INF/web.xml:
>
> <session-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
> This will of course require cookies. I'm not sure if that's okay for you
> .
>
> As for your image URLs failing due to those path parameters... why are
> they failing? Which component is generating those HTTP 500 responses?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrh0AMACgkQHPApP6U8
> pFgxbw//dyJKCTcfaHSIsFWC1VbPbe3glKZhq9iKROiJZohtc4+muXL00uwNA7tv
> SyX9B2WcknHInEO1jmN0aXdiTs8mri1iqJsLYyomwCWsyMlD0Ekkwk8C6BHdHVbv
> HExzFmQ0sChs6X37SYUpdbW8LMe/9g8aGgY4EbpTT7jzMk6cq+iXqLIpQEpbCFLX
> VnBY+8HJtKN7Asernrb44ZVrHhdVAv+jT8CcNMw96K2sMKm1fXYXqI1WD7Gx3sDO
> uQyb17mVNepK/6qnaJ6F6a3Rzmwf1+CDzi+LRtpX39/8ebkT1gC+8dpFZ2wrOb7P
> n1Gx+fEhoYS6g2F+ytcpJaKVId1s5AEJCWQoF+WkWdc+XN7qR2HBPGuYX0hh7KxQ
> 01+LSrN88j5GXvtFnFIzcMCrpUg1q7BVnLVVItusuDSbRJFBTt899ekYH1xfe/Vu
> TVuK4K6fSZPGw3vK7JxkYK0I7mjZrNonyqjDvr2mBcwrK2u98EnhuctwLYvF9ilt
> DGEb3prZHvr7cjceSJ/MAoff7OU/ZAnuCGYhRxpb1DHsVAaSMyxa3gqOMy025WHh
> WviCRORP/sru1YRvd33eS1ZhEtawcTpmP7meyDSTRSBI6tf61Gmw7tIr/vnQL4YJ
> Z/IaXFgjQJR57bxjG/G+/4xyDe3VB6W8V73tymC6l6mWYfwtGH4=
> =xqYE
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 9 ;jsessionid
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Greg,
On 4/26/18 4:53 AM, Greg Huber wrote:
> Hello,
>
> One thing I have noticed with Tomcat 9.0.x I get alot
> ;jsessionid=xxx appended to my urls. This did not happen with
> 8.5.x.
>
> /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
>
> 500 Internal Server Error /images/image_32x32.png;jsessionid= ...
> 23784378307846F: 1 Time(s) /images/image_32x32.png;jsessionid= ...
> 85D9B02C5A030FF: 1 Time(s)
>
>
>> From previous experience this happens when there is no session.
>> I use
> struts and have used encode="false" on the tags to prevent this:
>
> <s:url value="/" encode="false" />
>
> Also I have used (in the past) <%@ page session="false" %> but
> have commented this out as it causes down stream problems for me.
>
> Would there be a reason why these has now started happening on 9?
I'm not sure about why Tomcat 9 specifically might be doing this if
Tomcat <9 didn't, but this happens when:
1. An unauthenticated user makes a request
2. There was no session-id in the request
3. The server decided to create a session
4. The server can't prove that cookies are supported by the client
When all those things happen, all URLs (when "encoded") should contain
";jsessionid=" path parameters because the client might not accept the
Set-Cookie response header.
You can explicitly disable URL-based session-tracking if you'd like in
WEB-INF/web.xml:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
This will of course require cookies. I'm not sure if that's okay for you
.
As for your image URLs failing due to those path parameters... why are
they failing? Which component is generating those HTTP 500 responses?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrh0AMACgkQHPApP6U8
pFgxbw//dyJKCTcfaHSIsFWC1VbPbe3glKZhq9iKROiJZohtc4+muXL00uwNA7tv
SyX9B2WcknHInEO1jmN0aXdiTs8mri1iqJsLYyomwCWsyMlD0Ekkwk8C6BHdHVbv
HExzFmQ0sChs6X37SYUpdbW8LMe/9g8aGgY4EbpTT7jzMk6cq+iXqLIpQEpbCFLX
VnBY+8HJtKN7Asernrb44ZVrHhdVAv+jT8CcNMw96K2sMKm1fXYXqI1WD7Gx3sDO
uQyb17mVNepK/6qnaJ6F6a3Rzmwf1+CDzi+LRtpX39/8ebkT1gC+8dpFZ2wrOb7P
n1Gx+fEhoYS6g2F+ytcpJaKVId1s5AEJCWQoF+WkWdc+XN7qR2HBPGuYX0hh7KxQ
01+LSrN88j5GXvtFnFIzcMCrpUg1q7BVnLVVItusuDSbRJFBTt899ekYH1xfe/Vu
TVuK4K6fSZPGw3vK7JxkYK0I7mjZrNonyqjDvr2mBcwrK2u98EnhuctwLYvF9ilt
DGEb3prZHvr7cjceSJ/MAoff7OU/ZAnuCGYhRxpb1DHsVAaSMyxa3gqOMy025WHh
WviCRORP/sru1YRvd33eS1ZhEtawcTpmP7meyDSTRSBI6tf61Gmw7tIr/vnQL4YJ
Z/IaXFgjQJR57bxjG/G+/4xyDe3VB6W8V73tymC6l6mWYfwtGH4=
=xqYE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 ;jsessionid
Posted by Mark Thomas <ma...@apache.org>.
On 26/04/18 09:53, Greg Huber wrote:
> Hello,
>
> One thing I have noticed with Tomcat 9.0.x I get alot ;jsessionid=xxx
> appended to my urls. This did not happen with 8.5.x.
>
> /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
>
> 500 Internal Server Error
> /images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s)
> /images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s)
>
>
> From previous experience this happens when there is no session. I use
> struts and have used encode="false" on the tags to prevent this:
>
> <s:url value="/" encode="false" />
>
> Also I have used (in the past) <%@ page session="false" %> but have
> commented this out as it causes down stream problems for me.
>
> Would there be a reason why these has now started happening on 9?
You'll need to explain the exact steps to reproduce this on a clean
Tomcat install. The smaller the test case, the better. With that, we
should be able to say why a session is being created and the ID encoded
in the URL.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org