You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Hans Bergsten <ha...@gefionsoftware.com> on 2000/11/14 22:55:53 UTC
[TC 3.2b7 PATCH] Sessions without cookies [Was: Re: BugRat Report #380
has been filed.]
BugRat Mail System wrote:
>
> Bug report #380 has just been filed.
> [...]
> Environment:
> Release: 3.2 Beta 7
> JVM Release: 1.3
> Operating System: Linux/NT
> OS Release: 2.2.16/4
> Platform: any
>
> Synopsis:
> Sessions don't work without cookies
>
> Description:
> If Cookies are turned off in a browser the
> session-management by url-rewriting does not work.
> This bug was introduced by 3.2 beta6 and is still around
> in beta7
Adding this to StandardSessionInterceptor seems to fix the problem.
I would appreciate if someone who has worked with the session
tracking stuff before can review this patch before I commit it to
the tomcat_32 branch. I really don't want to introduce new bugs in
3.2 this close to the release, but I feel this bug must be fixed.
// First check if we have a valid session ID from the URL, set
// by the SessionInterceptor, and if so, set it as the request
// session. If we have also received a valid session ID
// as a cookie, the next section of code will reset the session
// to the one matching the ID found in the cookie.
String requestedSessionID = request.getRequestedSessionId();
if (requestedSessionID != null) {
System.out.println("Found a requested session ID: " +
requestedSessionID);
sess = sM.findSession(requestedSessionID);
if (sess != null)
System.out.println("Found a requested session ID");
request.setSession(sess);
}
// The current cookie checking code comes here
...
Hans
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com
Re: [TC 3.2b7 PATCH] Sessions without cookies [Was: Re: BugRat Report
#380 has been filed.]
Posted by cm...@yahoo.com.
Hi Hans,
The patch is great, +1 from me. ( it's the way the code was supposed to
work - if you look back 2-3 revisions for that file you'll find very
similar code ). It seems the patch for "multiple session cookies" broke
this part - it's great that we fix it back.
For 3.3 we should probably move the code that extracts the session id from
cookies back to the request/SessionInterceptor ( and rename it
SessionIdInterceptor ).
Costin
> // First check if we have a valid session ID from the URL, set
> // by the SessionInterceptor, and if so, set it as the request
> // session. If we have also received a valid session ID
> // as a cookie, the next section of code will reset the session
> // to the one matching the ID found in the cookie.
> String requestedSessionID = request.getRequestedSessionId();
> if (requestedSessionID != null) {
> System.out.println("Found a requested session ID: " +
> requestedSessionID);
> sess = sM.findSession(requestedSessionID);
> if (sess != null)
> System.out.println("Found a requested session ID");
> request.setSession(sess);
> }
>
> // The current cookie checking code comes here
> ...
>
> Hans
>