Jetty

jsessionid encoded into url when not needed

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: None
  • Component/s: Servlet
  • Labels:
    None
  • Testcase included:
    yes
  • Patch Submitted:
    Yes
  • Number of attachments :
    1

Description

When a browser first hits our app, say "/context", our app redirects them to "/context/search.htm".

However, because this is the first request, no session cookie was coming in, so the URL gets encoded with it, e.g. "/context/search.htm?jsessionid=x".

URL encoding the jsessionid might make sense for browsers with cookies turned off, but in the same response that has the redirect url "...?jsessionid=x" there is a Set-Cookie header with "jsessionid=x" in it as well.

Because the browser is already being told what the session id is via the cookie, I think it is redundant to encode it in the URL. Plus we have some users complaining about it.

So, I've attached a patch that short circuits jessionid url encoding at the same place it does the "is cookie in request" check by adding a "is cooking in response" check as well.

This seems to work pretty well. Let me know if my logic is flawed here or I'm missing something.

Otherwise, I'd appreciate the patch being applied. Refactoring it as needed would be appreciated as well--I wasn't sure about the best practice way to do this, and so just guessed at what would work.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Stephen Haberman added a comment -

Hm. Well, thinking about it, I can see why you are sending the session id in both the query string and the cookie--because you don't know if the browser will accept the cookie or not.

Nonetheless, this jsessionid in the query string bothers people using our app, making them think their session is insecure. I'll look around some more for best practice on keeping jsessionid from getting into the url. Pointers would be appreciated.

Show
Stephen Haberman added a comment - Hm. Well, thinking about it, I can see why you are sending the session id in both the query string and the cookie--because you don't know if the browser will accept the cookie or not. Nonetheless, this jsessionid in the query string bothers people using our app, making them think their session is insecure. I'll look around some more for best practice on keeping jsessionid from getting into the url. Pointers would be appreciated.
Hide
Permalink
Stephen Haberman added a comment -

Okay, after settling down after my initial "no jsessionid in the url" victory, it does seem Jetty is doing the right thing here. We'll just try to handle this better in our app. Apologies for the noise.

Show
Stephen Haberman added a comment - Okay, after settling down after my initial "no jsessionid in the url" victory, it does seem Jetty is doing the right thing here. We'll just try to handle this better in our app. Apologies for the noise.
Stephen Haberman made changes -
Field Original Value New Value
Status Open [ 1 ] Resolved [ 5 ]
Resolution Won't Fix [ 2 ]
Hide
Permalink
Greg Wilkins added a comment -

Stephen,

no problem!

You can always do a redirect yourself without encoding the URL, and that way test to see if cookies are supported or not.
cheers

Show
Greg Wilkins added a comment - Stephen, no problem! You can always do a redirect yourself without encoding the URL, and that way test to see if cookies are supported or not. cheers
Hide
Permalink
Greg Wilkins added a comment -

I'll provide a way to disable URL rewriting.

Show
Greg Wilkins added a comment - I'll provide a way to disable URL rewriting.
Greg Wilkins made changes -
Resolution Won't Fix [ 2 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Hide
Permalink
Greg Wilkins added a comment -

you can now set the session URL prefix to null or "none" via context init parameter or API to disable URL rewriting.

Show
Greg Wilkins added a comment - you can now set the session URL prefix to null or "none" via context init parameter or API to disable URL rewriting.
Greg Wilkins made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]

People

  • Assignee:
    Unassigned
    Reporter:
    Stephen Haberman
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: