Jetty

Respect jsessionid from URL over cookie

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: 6.1.5
  • Fix Version/s: None
  • Component/s: Servlet
  • Labels:
    None
  • Number of attachments :
    0

Description

When jsessionid is provided in both URL and cookie, org.mortbay.jetty.servlet.SessionHandler
could prefer url version over the one provided in cookie.

Although this is not Jetty's problem by no means, this would help to solve Firefox / Flash application file upload
problem discussed eg. in http://thanksmister.com/?p=59. Unfortunately Flash seems to send jsessionid
cookies from old sessions (during file upload only). Manually encoding jsessionid to URL is a suggested
workaround but it does not work with Jetty since Jetty picks up the id from cookie first and never looks to URL
if one is found from cookie.

I doubt there will be a Flash or Firefox fix for this anytime soon.

Would there be other implications overlooked by me if the order were
changed to prefer URL encoded jsessionid's?

Thanks,
– Nikla

Activity

Hide
Permalink
Greg Wilkins added a comment -

Sorry but this behavior is specified by the servlet spec and we can't really change it.

We do allow session cookies to be disabled and we are implementing disabling of url sessions (see JETTY-467),
but I don't think changing the priority if both are enabled is a good thing.

Show
Greg Wilkins added a comment - Sorry but this behavior is specified by the servlet spec and we can't really change it. We do allow session cookies to be disabled and we are implementing disabling of url sessions (see JETTY-467 ), but I don't think changing the priority if both are enabled is a good thing.

People

  • Assignee:
    Unassigned
    Reporter:
    Nikla Ratinen
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: