You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Daniel Pyykkö <da...@sitevision.se> on 2012/01/16 13:45:36 UTC
Problem with POST requests not removing JSESSIONID in tomcat 6.0.35
Hi,
I seem to have found a problem in tomcat 6.0.35 that did not exist in 6.0.32 or prior to that version that I would like to know if I should file as a bug or if it exists a solution to it (it seems to be a coding bug but just in case, I run tomcat on a MAC).
The problem occurs when sending a POST request which contains a JSESSIONID (for example going directly to a page containing a login module and trying to get access by logging in). In tomcat 6.0.32 and prior the JSESSIONID was removed from the requestURL by the method parseSessionId in the class org.apache.catalina.connector.CoyoteAdapter (which was called by method postParseRequest). In tomcat 6.0.35 I can see that the method parseSessionId has been rewritten and deprecated (@deprecated Not used since 6.0.30) , but the checkin version is wrong since it was still in use in tomcat 6.0.32.
Now to my problem/question. Is it just a bug that the method parseSessionId is no longer called by the method postParseRequest or how/where should the JSESSIONID be removed from the requestURL? Or could it be on purpose that the JSESSIONID no longer is removed from the requestURL?
I would really appreciate if anybody could come with information regarding if this is a bug or a new expected behavior.
Kind Regards,
Daniel Pyykkö
Software Developer
Senselogic AB
Re: Problem with POST requests not removing JSESSIONID in tomcat
6.0.35
Posted by Mark Thomas <ma...@apache.org>.
On 16/01/2012 14:06, Daniel Pyykkö wrote:
> Hi Mark,
>
> So this means that the JSESSIONID is no longer removed from the
> requestURL by tomcat (and is thereby now propagated all the way) and
> we as developers of our product must now take that in consideration
> that JSESSIONID is returned as part of the URI when calling for
> example httpServletRequest.getRequestURI()?
Yes.
> So what you are saying is
> that this is a new behavior in tomcat 6.0.35,
No, this change was as of 6.0.33.
> is this stated
> somewhere in the changelog?
Yes. Look for "path parameters".
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with POST requests not removing JSESSIONID in tomcat 6.0.35
Posted by Daniel Pyykkö <da...@sitevision.se>.
Hi Mark,
So this means that the JSESSIONID is no longer removed from the requestURL by tomcat (and is thereby now propagated all the way) and we as developers of our product must now take that in consideration that JSESSIONID is returned as part of the URI when calling for example httpServletRequest.getRequestURI()? So what you are saying is that this is a new behavior in tomcat 6.0.35, is this stated somewhere in the changelog?
//Daniel
Jan 16, 2012 kl. 2:04 PM skrev Mark Thomas:
> On 16/01/2012 12:45, Daniel Pyykkö wrote:
>> Hi,
>>
>> I seem to have found a problem in tomcat 6.0.35 that did not exist in
>> 6.0.32 or prior to that version that I would like to know if I should
>> file as a bug or if it exists a solution to it (it seems to be a
>> coding bug but just in case, I run tomcat on a MAC).
>
> And what exactly is the problem?
>
>> Now to my problem/question. Is it just a bug that the method
>> parseSessionId is no longer called by the method postParseRequest or
>> how/where should the JSESSIONID be removed from the requestURL? Or
>> could it be on purpose that the JSESSIONID no longer is removed from
>> the requestURL?
>
> The change is deliberate. JSESSIONID is a valid path parameter.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Problem with POST requests not removing JSESSIONID in tomcat
6.0.35
Posted by Mark Thomas <ma...@apache.org>.
On 16/01/2012 12:45, Daniel Pyykkö wrote:
> Hi,
>
> I seem to have found a problem in tomcat 6.0.35 that did not exist in
> 6.0.32 or prior to that version that I would like to know if I should
> file as a bug or if it exists a solution to it (it seems to be a
> coding bug but just in case, I run tomcat on a MAC).
And what exactly is the problem?
> Now to my problem/question. Is it just a bug that the method
> parseSessionId is no longer called by the method postParseRequest or
> how/where should the JSESSIONID be removed from the requestURL? Or
> could it be on purpose that the JSESSIONID no longer is removed from
> the requestURL?
The change is deliberate. JSESSIONID is a valid path parameter.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org