You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Paul Wilson <pa...@gmail.com> on 2011/10/07 12:41:14 UTC
JSESSIONID Stripping
Hi there,
Simple question. If a client posts:
POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1
whilst also specifying:
Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64;
$Path=/app/
isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing
'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the
app still sees the jsessionid which is messing up resource resolution. I
guess I could strip the jsessionid path param but.... doesn't seem right.
(This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to
remove the jsessionid before the request?
Regards,
Paul
Re: JSESSIONID Stripping
Posted by Paul Wilson <pa...@gmail.com>.
On 7 October 2011 12:10, Konstantin Kolinko <kn...@gmail.com> wrote:
> 2011/10/7 Paul Wilson <pa...@gmail.com>:
> > Hi there,
> >
> > Simple question. If a client posts:
> >
> > POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1
> >
> > whilst also specifying:
> >
> > Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64;
> > $Path=/app/
> >
> > isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing
> > 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but
> the
> > app still sees the jsessionid which is messing up resource resolution. I
> > guess I could strip the jsessionid path param but.... doesn't seem right.
> > (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to
> > remove the jsessionid before the request?
>
> 1) "%3b" does not delimit path parameters. You need to literally write
> it as ";" for it to be a delimiter.
>
Maybe this is the cause of all my problems; the POST path is being URL
encoded by the client. :-/
Re: JSESSIONID Stripping
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/10/7 Paul Wilson <pa...@gmail.com>:
> Hi there,
>
> Simple question. If a client posts:
>
> POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1
>
> whilst also specifying:
>
> Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64;
> $Path=/app/
>
> isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing
> 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the
> app still sees the jsessionid which is messing up resource resolution. I
> guess I could strip the jsessionid path param but.... doesn't seem right.
> (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to
> remove the jsessionid before the request?
1) "%3b" does not delimit path parameters. You need to literally write
it as ";" for it to be a delimiter.
2) There are two methods in Servlet API should return the path exactly
as it was requested, preserving path parameters in it. There was some
discussion about that recently.
3) If I remember correctly, if cookie is present the jsessionid in URL
is ignored.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org