You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Chris Handorf <ch...@cybertrails.com> on 2003/01/12 04:15:46 UTC

Possible bug w HTTP/HTTPS & encodeURL() - I'll show you the line number

For the impatient
-----------------------
I'm questioning the validity of line #522 of
jakarta-tomcat-4.1.18-src/catalina/src/share/org/apache/catalina/ 
connector/HttpResponseBase.java

please read on since I think I have done all of the work for you - I  
just need a question answered

Background
-------------------
I'm running Tomcat 4.1.18

My application creates a Session (i.e. Shopping Cart) on a web site.
All shopping is done using HTTP, but when the user is ready to pay, we  
switch to HTTPS.

Problem:
-----------------
If the user's browser doesn't support cookies, the contents of the  
shopping cart are lost
every time they click on an HTTPS link.

My initial investigation:
--------------------------------
I have code like the following in my application:

response.encodeURL("http://www.uncalendar.com/shopping.jsp");

    -- and --

response.encodeURL("https://www.uncalendar.com/payment.jsp");

Notice that one is HTTP and the other is HTTPS

I verified that in the first case, the method added the  
";jsessionid=38339839843989384398439843"
but in the second case the jsessionid did NOT get added.

Both of these are displayed on the same HTML page.

This clearly explains why the shopping cart is lost.  The question is,  
why did response.encodeURL()
not encode my HTTPS URL.  Both URLs reference www.uncalendar.com!!!!

My investigation of the Tomcat Source
---------------------------------------------------
I was surprised to find the following at line # 522 of
jakarta-tomcat-4.1.18-src/catalina/src/share/org/apache/catalina/ 
connector/HttpResponseBase.java

         // Does this URL match down to (and including) the context path?
         if (!hreq.getScheme().equalsIgnoreCase(url.getProtocol()))
             return (false);

This basically says "If the current request is HTTP and the url being  
encoded uses HTTPS,
then the url cannot be encoded and the jsessionid will be lost if the  
user clicks on this link"

At line 540, it is even more obvious:

         if (serverPort != urlPort)
             return (false);

"If I'm using port 80 but the url links to port 443, then jsessionid is  
toast."

My questions to the Tomcat masters
-----------------------------------------------
1) Is this a bug in Tomcat?
2) If not, how is one supposed to keep a Shopping Cart when switching  
between
     HTTP and HTTPS if the users browser doesn't support cookies?

Closing comments
----------------------------
Thanks for any help!


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>