You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Mattias Malmgren <a2...@ulmo.stud.slu.se> on 1999/02/10 16:48:20 UTC

mod_jserv/3870: cookie values are handled incorrect if "=" is within the value

>Number:         3870
>Category:       mod_jserv
>Synopsis:       cookie values are handled incorrect if "=" is within the value
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jserv
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Feb 10 07:50:00 PST 1999
>Last-Modified:
>Originator:     a2matmal@ulmo.stud.slu.se
>Organization:
apache
>Release:        apache_1.2.6
>Environment:
SunOS mattias.kontakt.slu.se 5.6 Generic_105181-08 sun4u sparc SUNW,Ultra-5_10
>Description:
This is a bug that is fixed in JAVA-webserver 1.1.3

http://developer.java.sun.com/developer/bugParade/bugs/4174974.html

It is to me not clear if it is a JSDK-bug or a bugg in jserv.
>How-To-Repeat:
Here is my copy of the SessionServlet-example that comes with
JSDK:

http://mattias.kontakt.slu.se/servlets/SessionServlet

Go there and see that it works with session using cookies.
Then _CLOSE_ Netscpae and add this row to your cookies.txt file:
.slu.se	TRUE	/	FALSE	2051222400	SITESERVER	ID=f202122849dc7a9bc2e4f6d6848f05f5

Start Netscape again and go back to :
http://mattias.kontakt.slu.se/servlets/SessionServlet
Now only URL rewriting works, and not session using cookies!

_CLOSE_ Netscpae again and edit the row in cookies.txt to:
.slu.se	TRUE	/	FALSE	2051222400	SITESERVER	ID-f202122849dc7a9bc2e4f6d6848f05f5

Note       
ID=f202122849dc7a9bc2e4f6d6848f05f5 is changed to 
ID-f202122849dc7a9bc2e4f6d6848f05f5
         
Go back to the SessionServlet. Now sessions using cookies works again.
The .slu.se-cookie is not set by my server. And I have no idea who sets
that cookie. 
>Fix:
There are ways to fix it described on:
http://developer.java.sun.com/developer/bugParade/bugs/4174974.html
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]