[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3018) Tomcat appending jsessionid to URLs breaks page fragment cache
11:47 a.m.
Tomcat appending jsessionid to URLs breaks page fragment cache
--------------------------------------------------------------
Key: JBSEAM-3018
URL: http://jira.jboss.com/jira/browse/JBSEAM-3018
Project: Seam
Issue Type: Task
Components: JSF Integration
Reporter: Christian Bauer
Priority: Critical
Tomcat/JSF encodes URLs and, even if cookies are enabled, sometimes appends a JSESSIONID
parameter. If you request a page fragment, your session id is encoded into the rendered
URLs. If I then later retrieve that fragment from the cache, I get your session. This is a
critical issue, I'll look for a workaround, if that's not possible, we need to
document it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:19 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3018) Tomcat appending jsessionid to URLs breaks page fragment cache
[ http://jira.jboss.com/jira/browse/JBSEAM-3018?page=comments#action_12413489 ]
Christian Bauer commented on JBSEAM-3018:
-----------------------------------------
When a GET hits the server with no session cookie or id, Tomcat creates a new session and
sets the cookie:
Set-Cookie: JSESSIONID=2978A7FABFF3DB35BE622290E1294CDE; Path=/
It then also encodes all URLs on a page with jsessionid. Without further proof, this seems
to be required because Tomcat, at this point, does not know if the browser supports
cookies. So the next GET (with both cookie and URL parameter) is required to decide if
cookies are OK or not.
The only solution would be to globally disable URL rewriting and force usage of cookies.
You can not disable URL rewriting in Tomcat. It seems to be hardcoded. All workarounds
I've found so far are not acceptable (filters that parse HTML, etc).
Tomcat appending jsessionid to URLs breaks page fragment cache
--------------------------------------------------------------
Key: JBSEAM-3018
URL: http://jira.jboss.com/jira/browse/JBSEAM-3018
Project: Seam
Issue Type: Task
Components: JSF Integration
Reporter: Christian Bauer
Priority: Critical
Tomcat/JSF encodes URLs and, even if cookies are enabled, sometimes appends a JSESSIONID
parameter. If you request a page fragment, your session id is encoded into the rendered
URLs. If I then later retrieve that fragment from the cache, I get your session. This is a
critical issue, I'll look for a workaround, if that's not possible, we need to
document it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:49 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3018) Tomcat appending jsessionid to URLs breaks page fragment cache
[ http://jira.jboss.com/jira/browse/JBSEAM-3018?page=comments#action_12413517 ]
Christian Bauer commented on JBSEAM-3018:
-----------------------------------------
Workaround is this filter:
@Startup
@Scope(ScopeType.APPLICATION)
@Name("wikiUrlSessionIdFilter")
@BypassInterceptors
@Filter
public class WikiUrlSessionIdFilter extends AbstractFilter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (!(req instanceof HttpServletRequest)) {
chain.doFilter(req, res);
return;
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Redirect requests with JSESSIONID in URL to clean version (old links
bookmarked/stored by bots)
// This is ONLY triggered if the request did not also contain a JSESSIONID cookie!
Which should be fine for bots...
if (request.isRequestedSessionIdFromURL()) {
response.sendError(
HttpServletResponse.SC_MOVED_PERMANENTLY,
request.getRequestURL().append("?").append(request.getQueryString()).toString()
);
return;
}
// Prevent rendering of JSESSIONID in URLs for all outgoing links
HttpServletResponseWrapper wrappedResponse =
new HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
}
}
This effectively disables URL rewriting. That also means the site no longer works without
cookies, so for a good user experience, an additional cookie check is needed.
Tomcat appending jsessionid to URLs breaks page fragment cache
--------------------------------------------------------------
Key: JBSEAM-3018
URL: http://jira.jboss.com/jira/browse/JBSEAM-3018
Project: Seam
Issue Type: Task
Components: JSF Integration
Reporter: Christian Bauer
Priority: Critical
Tomcat/JSF encodes URLs and, even if cookies are enabled, sometimes appends a JSESSIONID
parameter. If you request a page fragment, your session id is encoded into the rendered
URLs. If I then later retrieve that fragment from the cache, I get your session. This is a
critical issue, I'll look for a workaround, if that's not possible, we need to
document it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:04 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3018) Tomcat appending jsessionid to URLs breaks page fragment cache
[ http://jira.jboss.com/jira/browse/JBSEAM-3018?page=comments#action_12413526 ]
Christian Bauer commented on JBSEAM-3018:
-----------------------------------------
Workaround is this filter:
@Startup
@Scope(ScopeType.APPLICATION)
@Name("wikiUrlSessionIdFilter")
@BypassInterceptors
@Filter
public class WikiUrlSessionIdFilter extends AbstractFilter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (!(req instanceof HttpServletRequest)) {
chain.doFilter(req, res);
return;
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Redirect requests with JSESSIONID in URL to clean version (old links
bookmarked/stored by bots)
// This is ONLY triggered if the request did not also contain a JSESSIONID cookie!
Which should be fine for bots...
if (request.isRequestedSessionIdFromURL()) {
String url = request.getRequestURL()
.append(request.getQueryString() != null ?
"?"+request.getQueryString() : "")
.toString();
// TODO: The url is clean, at least in Tomcat, which strips out the JSESSIONID
path parameter automatically (Jetty does not?!)
response.setHeader("Location", url);
response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
return;
}
// Prevent rendering of JSESSIONID in URLs for all outgoing links
HttpServletResponseWrapper wrappedResponse =
new HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
}
}
This effectively disables URL rewriting. That also means the site no longer works without
cookies, so for a good user experience, an additional cookie check is needed.
Tomcat appending jsessionid to URLs breaks page fragment cache
--------------------------------------------------------------
Key: JBSEAM-3018
URL: http://jira.jboss.com/jira/browse/JBSEAM-3018
Project: Seam
Issue Type: Task
Components: JSF Integration
Reporter: Christian Bauer
Priority: Critical
Tomcat/JSF encodes URLs and, even if cookies are enabled, sometimes appends a JSESSIONID
parameter. If you request a page fragment, your session id is encoded into the rendered
URLs. If I then later retrieve that fragment from the cache, I get your session. This is a
critical issue, I'll look for a workaround, if that's not possible, we need to
document it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:04 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3018) Tomcat appending jsessionid to URLs breaks page fragment cache
[ http://jira.jboss.com/jira/browse/JBSEAM-3018?page=all ]
Christian Bauer updated JBSEAM-3018:
------------------------------------
Comment: was deleted
Tomcat appending jsessionid to URLs breaks page fragment cache
--------------------------------------------------------------
Key: JBSEAM-3018
URL: http://jira.jboss.com/jira/browse/JBSEAM-3018
Project: Seam
Issue Type: Task
Components: JSF Integration
Reporter: Christian Bauer
Priority: Critical
Tomcat/JSF encodes URLs and, even if cookies are enabled, sometimes appends a JSESSIONID
parameter. If you request a page fragment, your session id is encoded into the rendered
URLs. If I then later retrieve that fragment from the cache, I get your session. This is a
critical issue, I'll look for a workaround, if that's not possible, we need to
document it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:26 a.m.
New subject: [JBoss JIRA] Commented: (JBSEAM-3018) Tomcat appending jsessionid to URLs breaks page fragment cache
[
https://jira.jboss.org/jira/browse/JBSEAM-3018?page=com.atlassian.jira.pl...
]
Brett Cave commented on JBSEAM-3018:
------------------------------------
We are using Tuckey urlrewrite-3.2
web.xml:
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
urlrewrite.xml
<!-- remove jsessionids for crawlers -->
<outbound-rule enabled="true" encodefirst="true">
<name>Strip URL Session IDs</name>
<from>^(.*);jsessionid=(.*)$</from>
<to>$1</to>
</outbound-rule>
Tomcat appending jsessionid to URLs breaks page fragment cache
--------------------------------------------------------------
Key: JBSEAM-3018
URL: https://jira.jboss.org/jira/browse/JBSEAM-3018
Project: Seam
Issue Type: Task
Components: JSF Integration
Reporter: Christian Bauer
Priority: Critical
Tomcat/JSF encodes URLs and, even if cookies are enabled, sometimes appends a JSESSIONID
parameter. If you request a page fragment, your session id is encoded into the rendered
URLs. If I then later retrieve that fragment from the cache, I get your session. This is a
critical issue, I'll look for a workaround, if that's not possible, we need to
document it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5164
days inactive
5880
days old
5 comments
2 participants
participants (2)
-
Brett Cave (JIRA) -
Christian Bauer (JIRA)