You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/05/16 09:28:08 UTC

[Bug 54980] New: Setting 'cookies' attribute to 'false' in context still generate JSESSIONID cookie

https://issues.apache.org/bugzilla/show_bug.cgi?id=54980

            Bug ID: 54980
           Summary: Setting 'cookies' attribute to 'false' in context
                    still generate JSESSIONID cookie
           Product: Tomcat 7
           Version: 7.0.27
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: bishen@ebay.com
    Classification: Unclassified

As stated in http://tomcat.apache.org/tomcat-7.0-doc/config/context.html,
setting 'cookie' attribute to 'false' should disable the use of cookies for
session identifier communication. But it turns out not to work. The JSESSIONID
cookie is still generated and saved in browser side.

This happens when user doesn't specify "tracking-mode"
(http://www.e-zest.net/blog/new-session-management-features-in-servlet-3-0/) in
the web.xml, which is the default behavior.


Below is some analysis I'd give after doing some debugging with Tomcat's source
code (tag: TOMCAT_7_0_27).

(setting 'cookie' attribute to 'false' in WEB-INF/context.xml)

The JSESSIONID cookie is generated in Request#doGetSession(boolean):line 2891.
As no "tracking-mode" is given in web.xml, the call of
ServletContext#getEffectiveSessionTrackingModes() falls back to
#getDefaultSessionTrackingModes(). There's no problem here.

The problem is the ServletContext is initialized before the 'cookie' attribute
is read from context.xml. Specifically, StandardContext#getServletContext() is
called before ContextConfig#processContextConfig(Digest, URL).

Hence, when initializing a ServletContext, the referenced StandardContext's
"cookies" field is in default value "true" which wrongly initializes its
"defaultSessionTrackingModes" with COOKIE mode!

One solution I'd give is when a StandardContext's "cookie" field is changed,
re-initialize the referenced ServletContext.

Or make sure ContextConfig#processContextConfig(Digest, URL) is called before
any StandardContext#getServletContext() call.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 54980] Setting 'cookies' attribute to 'false' in context still generate JSESSIONID cookie

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54980

Emac <bi...@ebay.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Emac <bi...@ebay.com> ---
I meant MEAT-INF/.

Sorry, I cannot re-produce it in a clean Tomcat server. Previously, I actually
encountered this issue in Geronimo 3 which embeds Tomcat 7.0.27 version. So it
must be related to the customization in Geronimo server.

Marked it as invalid. Thanks for looking into this.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 54980] Setting 'cookies' attribute to 'false' in context still generate JSESSIONID cookie

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54980

Violeta Georgieva <vi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO
                 OS|                            |All

--- Comment #1 from Violeta Georgieva <vi...@apache.org> ---
(In reply to comment #0)
> 
> (setting 'cookie' attribute to 'false' in WEB-INF/context.xml)
> 

Did you mean META-INF/context.xml or you really mean WEB-INF/context.xml?


I cannot observe the described behavior on the latest Tomcat version (7.0.40).


Can you provide an example that illustrates the problem against 7.0.40?


Regards
Violeta

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org