You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Dan Bush <da...@gmail.com> on 2008/09/24 15:39:41 UTC
Possibility of Making JSESSIONID Configurable
I have the need to change the name of the session cookie to something
other than JSESSIONID. With some other containers like Weblogic it can
be adjusted via the provider descriptor (weblogic.xml)
[http://e-docs.bea.com/wls/docs100/webapp/weblogic_xml.html#wp1071982].
Tomcat makes use of a global field value. I was wondering what the
possibility of making the session cookie name, and the related stuff
like the URL parameter configurable at run time. I don't think this
would impact mod_jk because I believe that is configurable via a
directive.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Mladen Turk <mt...@apache.org>.
Dan Bush wrote:
> I don't think this
> would impact mod_jk because I believe that is configurable via a
> directive.
>
Not jet. However the next version we are going to release (1.2.27)
will have that feature.
Think your question was raised few times, but the answer was always
-1, cause per servlet spec the session affinity marks are uniquely
defined. I personally don't see any problem in making that
configurable with default value as servlet spec defines.
It's a trivial thing to implement, and like you said mod_proxy
and now mod_jk support that so it can be considered as a nifty
feature to have.
But this is just one vote from many :)
Regards
--
^(TM)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Mark Thomas <ma...@apache.org>.
Dan Bush wrote:
> It's kind of hard to fight the specification in the long run. I would
> think the language would need to be loosened up from MUST. The
> specification could suggest the use JSESSIONID by default, which would
> be supported by Tomcat; yet still allow it to be configurable.
This is exactly what the draft for 3.0 does say, but only for the cookie
name. The url parameter is still MUST.
> Is this matter
> still a candidate for and enhancement request so we can put it to a
> vote?
In my view, yes.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Dan Bush <da...@gmail.com>.
It's kind of hard to fight the specification in the long run. I would
think the language would need to be loosened up from MUST. The
specification could suggest the use JSESSIONID by default, which would
be supported by Tomcat; yet still allow it to be configurable. Not
sure I understand why it would be so problematic for proxies and
looking at the code base it would be a trivial change. Is this matter
still a candidate for and enhancement request so we can put it to a
vote?
On Wed, Sep 24, 2008 at 10:53 AM, Mark Thomas <ma...@apache.org> wrote:
> Remy Maucherat wrote:
>> On Wed, 2008-09-24 at 14:52 +0100, Mark Thomas wrote:
>>> The 3.0 servlet spec mentions this (ie Tomcat 7) but there is nothing to
>>> stop this being added to 6.0.x
>>
>> I am not aware of such a proposal in Servlet 3.0 (session cookie
>> configuration and tracking coinfig, but no config for the cookie name or
>> URL parameter name).
> It is in section 7.1.1 of the 3.0 early draft. It only applies to the
> cookie name. Making the url parameter configurable would be non-spec
> complaint but I don't see a good reason not to allow it if users have a
> requirement for it.
>
>> Esp making this configuration per context would a
>> problem to manage, so -1 for that.
> I don't see why. Looking at the code, this would be really simple. At least
> wait until there is a proposed patch before trying to veto it.
>
>> The fixed names are labelled as "MUST" in the sepc. OTOH, I had to
>> accept a hidden system property for specific customers because of
>> Weblo :( Definitely this is a showcase for bad policies of big
>> proprietary vendors, and their bad consequences.
> That depends if the customers had a genuine requirement to change the name
> (not that I can think of one of hand). If they did then it is more the spec
> not keeping pace with user requirements. Tomcat has a couple of non-spec
> compliant configuration options as well.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Peter Rossbach <pr...@objektpark.de>.
HI
I see some impacts at cluster and SSO code with a per context
configuration. But a option at global or engine level is easy to
implement.
Regards
Peter
Am 24.09.2008 um 17:36 schrieb Remy Maucherat:
> On Wed, 2008-09-24 at 16:23 +0100, Mark Thomas wrote:
>> The draft is here:
>> http://jcp.org/en/jsr/detail?id=315
>>
>> I though you were on the Servlet EG or am I mistaken?
>
> I was not aware of that file for whatever reason. I now remember the
> language that was discussed, and I remember being in favor of it.
> It now
> tolerates proprietary configuration of the cookie name, but does not
> actually mandate or change anything.
>
>>> I think per context would be a big problem for proxies, so I am
>>> against
>>> it. There's no need for a patch to state that, I think.
>> Certainly, if they were looking at the cookie to manage load-
>> balancing or
>> similar then different values per context would make that
>> configuration
>> more complex than it needs to be.
>
> I am -1 for per context configuration, +1 for global configuration
> (and
> I know JF has a custom patch to do that, which I think also does
> the URL
> parameter).
>
> Rémy
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: Possibility of Making JSESSIONID Configurable
Posted by Rainer Jung <ra...@kippdata.de>.
Remy Maucherat schrieb:
> On Wed, 2008-09-24 at 16:23 +0100, Mark Thomas wrote:
>> The draft is here:
>> http://jcp.org/en/jsr/detail?id=315
>>
>> I though you were on the Servlet EG or am I mistaken?
>
> I was not aware of that file for whatever reason. I now remember the
> language that was discussed, and I remember being in favor of it. It now
> tolerates proprietary configuration of the cookie name, but does not
> actually mandate or change anything.
>
>>> I think per context would be a big problem for proxies, so I am against
>>> it. There's no need for a patch to state that, I think.
>> Certainly, if they were looking at the cookie to manage load-balancing or
>> similar then different values per context would make that configuration
>> more complex than it needs to be.
>
> I am -1 for per context configuration, +1 for global configuration (and
> I know JF has a custom patch to do that, which I think also does the URL
> parameter).
If I read Mladen's latest patch to mod_jk (done yesterday or so)
correctly, the values will already be configurable per mount (we will
have a concept of mount extensions, which does make some configuration
options adjustable per mount, like e.g. reply_timeouts). So the concept
specific part of it would not really be a technical problem for mod_jk
1.2.27+.
For httpd/mod_proxy_balancer you can configure those data via Proxy
blocks, which should also work per mount. A proxy needs to integrate
various types of backends, so at least mod_proxy needs that type of
flexibility since other backends use other types of session identifiers
(e.g. PHP).
Whether it's good practise is surely questionable. E.g. I like logging
the session cookies in the httpd access log, but that's not that easy,
if there are a lot of different cookies in use for that purpose.
So it does make your life more complicated, but at least proxies do not
have a problem with it, or will soon not have a problem with it.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Dan Bush <da...@gmail.com>.
So how does this work? Will you make the recommended modifications to your
patch and then it will be applied to the 6.x code base?
On Thu, Sep 25, 2008 at 5:00 AM, jean-frederic clere <jf...@gmail.com>wrote:
> Remy Maucherat wrote:
>
>> On Wed, 2008-09-24 at 16:23 +0100, Mark Thomas wrote:
>>
>>> The draft is here:
>>> http://jcp.org/en/jsr/detail?id=315
>>>
>>> I though you were on the Servlet EG or am I mistaken?
>>>
>>
>> I was not aware of that file for whatever reason. I now remember the
>> language that was discussed, and I remember being in favor of it. It now
>> tolerates proprietary configuration of the cookie name, but does not
>> actually mandate or change anything.
>>
>> I think per context would be a big problem for proxies, so I am against
>>>> it. There's no need for a patch to state that, I think.
>>>>
>>> Certainly, if they were looking at the cookie to manage load-balancing or
>>> similar then different values per context would make that configuration
>>> more complex than it needs to be.
>>>
>>
>> I am -1 for per context configuration, +1 for global configuration (and
>> I know JF has a custom patch to do that, which I think also does the URL
>> parameter).
>>
>
> Against trunk: http://people.apache.org/~jfclere/patches/jsessionid.patch<http://people.apache.org/%7Ejfclere/patches/jsessionid.patch>
> .
>
> I need to check if that works against tc6.0.x
>
> Cheers
>
> Jean-frederic
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Possibility of Making JSESSIONID Configurable
Posted by Remy Maucherat <re...@apache.org>.
On Thu, 2008-09-25 at 11:00 +0200, jean-frederic clere wrote:
> Against trunk: http://people.apache.org/~jfclere/patches/jsessionid.patch.
Couple glitches:
- there's a toLowerCase in jasper.constants, for some reason
- debug log in the endpoint ;)
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Peter Rossbach <pr...@objektpark.de>.
Works for me!
+1
(Comment: Remove the JIoEndpoint log fix from JSESSIONID patch :-))
Thanks
peter
Am 25.09.2008 um 11:00 schrieb jean-frederic clere:
> Remy Maucherat wrote:
>> On Wed, 2008-09-24 at 16:23 +0100, Mark Thomas wrote:
>>> The draft is here:
>>> http://jcp.org/en/jsr/detail?id=315
>>>
>>> I though you were on the Servlet EG or am I mistaken?
>> I was not aware of that file for whatever reason. I now remember the
>> language that was discussed, and I remember being in favor of it.
>> It now
>> tolerates proprietary configuration of the cookie name, but does not
>> actually mandate or change anything.
>>>> I think per context would be a big problem for proxies, so I am
>>>> against
>>>> it. There's no need for a patch to state that, I think.
>>> Certainly, if they were looking at the cookie to manage load-
>>> balancing or
>>> similar then different values per context would make that
>>> configuration
>>> more complex than it needs to be.
>> I am -1 for per context configuration, +1 for global configuration
>> (and
>> I know JF has a custom patch to do that, which I think also does
>> the URL
>> parameter).
>
> Against trunk: http://people.apache.org/~jfclere/patches/
> jsessionid.patch.
>
> I need to check if that works against tc6.0.x
>
> Cheers
>
> Jean-frederic
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: Possibility of Making JSESSIONID Configurable
Posted by jean-frederic clere <jf...@gmail.com>.
Remy Maucherat wrote:
> On Wed, 2008-09-24 at 16:23 +0100, Mark Thomas wrote:
>> The draft is here:
>> http://jcp.org/en/jsr/detail?id=315
>>
>> I though you were on the Servlet EG or am I mistaken?
>
> I was not aware of that file for whatever reason. I now remember the
> language that was discussed, and I remember being in favor of it. It now
> tolerates proprietary configuration of the cookie name, but does not
> actually mandate or change anything.
>
>>> I think per context would be a big problem for proxies, so I am against
>>> it. There's no need for a patch to state that, I think.
>> Certainly, if they were looking at the cookie to manage load-balancing or
>> similar then different values per context would make that configuration
>> more complex than it needs to be.
>
> I am -1 for per context configuration, +1 for global configuration (and
> I know JF has a custom patch to do that, which I think also does the URL
> parameter).
Against trunk: http://people.apache.org/~jfclere/patches/jsessionid.patch.
I need to check if that works against tc6.0.x
Cheers
Jean-frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Remy Maucherat <re...@apache.org>.
On Wed, 2008-09-24 at 16:23 +0100, Mark Thomas wrote:
> The draft is here:
> http://jcp.org/en/jsr/detail?id=315
>
> I though you were on the Servlet EG or am I mistaken?
I was not aware of that file for whatever reason. I now remember the
language that was discussed, and I remember being in favor of it. It now
tolerates proprietary configuration of the cookie name, but does not
actually mandate or change anything.
> > I think per context would be a big problem for proxies, so I am against
> > it. There's no need for a patch to state that, I think.
> Certainly, if they were looking at the cookie to manage load-balancing or
> similar then different values per context would make that configuration
> more complex than it needs to be.
I am -1 for per context configuration, +1 for global configuration (and
I know JF has a custom patch to do that, which I think also does the URL
parameter).
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Mark Thomas <ma...@apache.org>.
Remy Maucherat wrote:
> On Wed, 2008-09-24 at 15:53 +0100, Mark Thomas wrote:
>> It is in section 7.1.1 of the 3.0 early draft. It only applies to the
>> cookie name. Making the url parameter configurable would be non-spec
>> complaint but I don't see a good reason not to allow it if users have a
>> requirement for it.
>
> For starters, I am not aware of such a draft document :(
The draft is here:
http://jcp.org/en/jsr/detail?id=315
I though you were on the Servlet EG or am I mistaken?
> I think per context would be a big problem for proxies, so I am against
> it. There's no need for a patch to state that, I think.
Certainly, if they were looking at the cookie to manage load-balancing or
similar then different values per context would make that configuration
more complex than it needs to be.
I would expect the few users that used this to set it on the default
Manager but I don't see the harm in having the option to do it per context
(with suitable warnings in the docs about proxies).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Remy Maucherat <re...@apache.org>.
On Wed, 2008-09-24 at 15:53 +0100, Mark Thomas wrote:
> It is in section 7.1.1 of the 3.0 early draft. It only applies to the
> cookie name. Making the url parameter configurable would be non-spec
> complaint but I don't see a good reason not to allow it if users have a
> requirement for it.
For starters, I am not aware of such a draft document :(
I think per context would be a big problem for proxies, so I am against
it. There's no need for a patch to state that, I think.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Mark Thomas <ma...@apache.org>.
Remy Maucherat wrote:
> On Wed, 2008-09-24 at 14:52 +0100, Mark Thomas wrote:
>> The 3.0 servlet spec mentions this (ie Tomcat 7) but there is nothing to
>> stop this being added to 6.0.x
>
> I am not aware of such a proposal in Servlet 3.0 (session cookie
> configuration and tracking coinfig, but no config for the cookie name or
> URL parameter name).
It is in section 7.1.1 of the 3.0 early draft. It only applies to the
cookie name. Making the url parameter configurable would be non-spec
complaint but I don't see a good reason not to allow it if users have a
requirement for it.
> Esp making this configuration per context would a
> problem to manage, so -1 for that.
I don't see why. Looking at the code, this would be really simple. At least
wait until there is a proposed patch before trying to veto it.
> The fixed names are labelled as "MUST" in the sepc. OTOH, I had to
> accept a hidden system property for specific customers because of
> Weblo :( Definitely this is a showcase for bad policies of big
> proprietary vendors, and their bad consequences.
That depends if the customers had a genuine requirement to change the name
(not that I can think of one of hand). If they did then it is more the spec
not keeping pace with user requirements. Tomcat has a couple of non-spec
compliant configuration options as well.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Remy Maucherat <re...@apache.org>.
On Wed, 2008-09-24 at 14:52 +0100, Mark Thomas wrote:
> The 3.0 servlet spec mentions this (ie Tomcat 7) but there is nothing to
> stop this being added to 6.0.x
I am not aware of such a proposal in Servlet 3.0 (session cookie
configuration and tracking coinfig, but no config for the cookie name or
URL parameter name). Esp making this configuration per context would a
problem to manage, so -1 for that.
The fixed names are labelled as "MUST" in the sepc. OTOH, I had to
accept a hidden system property for specific customers because of
Weblo :( Definitely this is a showcase for bad policies of big
proprietary vendors, and their bad consequences.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Mark Thomas wrote:
> Dan Bush wrote:
>
>> I have the need to change the name of the session cookie to something
>> other than JSESSIONID. With some other containers like Weblogic it can
>> be adjusted via the provider descriptor (weblogic.xml)
>> [http://e-docs.bea.com/wls/docs100/webapp/weblogic_xml.html#wp1071982].
>> Tomcat makes use of a global field value. I was wondering what the
>> possibility of making the session cookie name, and the related stuff
>> like the URL parameter configurable at run time. I don't think this
>> would impact mod_jk because I believe that is configurable via a
>> directive.
>>
>
> Should be quite simple. It could be made configurable per context by
> setting it within the session manager. Everywhere it is used, the context
> is easily accessible. (I haven't checked the url side but I expect it t be
> similar).
>
> The 3.0 servlet spec mentions this (ie Tomcat 7) but there is nothing to
> stop this being added to 6.0.x
>
yes, I would be a proponent for adding adding this.
best
Filip
> Enhancement requests should be entered in bugzilla.
>
> Enhancement requests with patches tend to get looked at faster ;)
> If you want to take a crack at this yourself, you could use this to give
> you an idea of how to add the configuration.
> http://svn.apache.org/viewvc?view=rev&revision=694992
>
> Shout if you have any questions / need more pointers.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibility of Making JSESSIONID Configurable
Posted by Mark Thomas <ma...@apache.org>.
Dan Bush wrote:
> I have the need to change the name of the session cookie to something
> other than JSESSIONID. With some other containers like Weblogic it can
> be adjusted via the provider descriptor (weblogic.xml)
> [http://e-docs.bea.com/wls/docs100/webapp/weblogic_xml.html#wp1071982].
> Tomcat makes use of a global field value. I was wondering what the
> possibility of making the session cookie name, and the related stuff
> like the URL parameter configurable at run time. I don't think this
> would impact mod_jk because I believe that is configurable via a
> directive.
Should be quite simple. It could be made configurable per context by
setting it within the session manager. Everywhere it is used, the context
is easily accessible. (I haven't checked the url side but I expect it t be
similar).
The 3.0 servlet spec mentions this (ie Tomcat 7) but there is nothing to
stop this being added to 6.0.x
Enhancement requests should be entered in bugzilla.
Enhancement requests with patches tend to get looked at faster ;)
If you want to take a crack at this yourself, you could use this to give
you an idea of how to add the configuration.
http://svn.apache.org/viewvc?view=rev&revision=694992
Shout if you have any questions / need more pointers.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org