You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/12/16 21:47:30 UTC
DO NOT REPLY [Bug 33806] - Session tracking using URL rewriting fails, if client URL-encodes reserved characters ; and =
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33806>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33806
gawix@yahoo.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From gawix@yahoo.com 2005-12-16 21:47 -------
I've verified with 5.0.28 and Tomcat DOES unescape %3b (;) and %3d (=) before
extracting ;jsessionid=
I don't understand what was tested by the person who opened this bug. Maybe the
problem was with the %D in the example... It should be %3D, so I believe his
test was incorrect.
It's very simple to test using the session example (assume session
1A1D98B86F2E813CC27BDCC214C73285 is already created):
$telnet localhost 8080
GET
/servlets-examples/servlet/SessionExample%3Bjsessionid%3D1A1D98B86F2E813CC27BDCC214C73285
HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1285
Date: Fri, 16 Dec 2005 20:18:20 GMT
Server: Apache-Coyote/1.1
<html>
<body bgcolor="white">
<head>
<title>Sessions Example</title>
</head>
<body>
<a href="../sessions.html">
<img src="../images/code.gif" height=24 width=24 align=right border=0 alt="view
code"></a>
<a href="../index.html">
<img src="../images/return.gif" height=24 width=24 align=right border=0
alt="return"></a>
<h3>Sessions Example</h3>
Session ID: 1A1D98B86F2E813CC27BDCC214C73285
<br>
Created:
Fri Dec 16 15:13:30 EST 2005<br>
Last Accessed:
Fri Dec 16 15:13:52 EST 2005
<P>
The following data is in your session:<br>
foo = bar<br>
<P>
<form action="SessionExample;jsessionid=1A1D98B86F2E813CC27BDCC214C73285"
method=POST>
Name of Session Attribute:
<input type=text size=20 name=dataname>
<br>
Value of Session Attribute:
<input type=text size=20 name=datavalue>
<br>
<input type=submit>
</form>
<P>GET based form:<br>
<form action="SessionExample;jsessionid=1A1D98B86F2E813CC27BDCC214C73285"
method=GET>
Name of Session Attribute:
<input type=text size=20 name=dataname>
<br>
Value of Session Attribute:
<input type=text size=20 name=datavalue>
<br>
<input type=submit>
</form>
<p><a
href="SessionExample;jsessionid=1A1D98B86F2E813CC27BDCC214C73285?dataname=foo&datavalue=bar"
>URL encoded </a>
</body>
</html>
</body>
</html>
I totally agree with Remy analysis regarding preserving reserved characters in
the URI (http://www.ietf.org/rfc/rfc2396.txt). I'm reopening the bug because I
believe that tomcat should have failed retrieving session when URI is encoded as
above. Considering Tomcat is a reference implementation, I would have expected
a strict behaviour. Weblogic 8.1 and WebSphere Application Server 5.1.1.7 do
not unescape the path portion and path parameters of the URI.
It is wrong for a HTTP User agent to encode reserved characters in a URI placed
in a document (i.e. HTML, VoiceXML, etc.). Believe it or not, I'm using a
VoiceXML platform embedding two different HTTP user agents that have this
problem. argh!
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org