You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Hans Bergsten <ha...@gefionsoftware.com> on 2000/11/14 22:55:53 UTC

[TC 3.2b7 PATCH] Sessions without cookies [Was: Re: BugRat Report #380 has been filed.]

BugRat Mail System wrote:
> 
> Bug report #380 has just been filed.
> [...]
> Environment:
>    Release: 3.2 Beta 7
>    JVM Release: 1.3
>    Operating System: Linux/NT
>    OS Release: 2.2.16/4
>    Platform: any
> 
> Synopsis:
> Sessions don't work without cookies
> 
> Description:
> If Cookies are turned off in a browser the
>  session-management by url-rewriting does not work.
> This bug was introduced by 3.2 beta6 and is still around
>  in beta7

Adding this to StandardSessionInterceptor seems to fix the problem.
I would appreciate if someone who has worked with the session
tracking stuff before can review this patch before I commit it to
the tomcat_32 branch. I really don't want to introduce new bugs in
3.2 this close to the release, but I feel this bug must be fixed.

      // First check if we have a valid session ID from the URL, set 
      // by the SessionInterceptor, and if so, set it as the request 
      // session. If we have also received a valid session ID
      // as a cookie, the next section of code will reset the session 
      // to the one matching the ID found in the cookie.
      String requestedSessionID = request.getRequestedSessionId();
      if (requestedSessionID != null) {
          System.out.println("Found a requested session ID: " +
requestedSessionID);
          sess = sM.findSession(requestedSessionID);
          if (sess != null)
             System.out.println("Found a requested session ID");
              request.setSession(sess);
      }

      // The current cookie checking code comes here
      ...

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com

Re: [TC 3.2b7 PATCH] Sessions without cookies [Was: Re: BugRat Report #380 has been filed.]

Posted by cm...@yahoo.com.

Hi Hans,

The patch is great, +1 from me. ( it's the way the code was supposed to
work - if you look back 2-3 revisions for that file you'll find very
similar code ). It seems the patch for "multiple session cookies" broke
this part - it's great that we fix it back.

For 3.3 we should probably move the code that extracts the session id from
cookies back to the request/SessionInterceptor ( and rename it
SessionIdInterceptor ).

Costin


>       // First check if we have a valid session ID from the URL, set 
>       // by the SessionInterceptor, and if so, set it as the request 
>       // session. If we have also received a valid session ID
>       // as a cookie, the next section of code will reset the session 
>       // to the one matching the ID found in the cookie.
>       String requestedSessionID = request.getRequestedSessionId();
>       if (requestedSessionID != null) {
>           System.out.println("Found a requested session ID: " +
> requestedSessionID);
>           sess = sM.findSession(requestedSessionID);
>           if (sess != null)
>              System.out.println("Found a requested session ID");
>               request.setSession(sess);
>       }
> 
>       // The current cookie checking code comes here
>       ...
> 
> Hans
>