jsession cookie path set to / - undertow-dev - Jboss List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

jsession cookie path set to /

Undertow API Review

cached authenticated sessions

Bill Burke

Thursday, 14 November 2013 Thu, 14 Nov '13

8:58 a.m.

the JSESSION cookie path seems to be set to '/'. This will bleed sessionids between deployed WARs. I think it bleeds cached sessions too? I'll log a bug unless it is by design. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Show replies by date

Stuart Douglas

Thursday, 14 November Thu, 14 Nov

10:52 a.m.

This does sound like a bug. Stuart ----- Original Message -----

From: "Bill Burke" <bburke(a)redhat.com> To: undertow-dev(a)lists.jboss.org Sent: Thursday, 14 November, 2013 3:58:00 PM Subject: [undertow-dev] jsession cookie path set to / the JSESSION cookie path seems to be set to '/'. This will bleed sessionids between deployed WARs. I think it bleeds cached sessions too? I'll log a bug unless it is by design. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Nick Scavelli

2:22 p.m.

There should be an option to set it to something. I believe this is the sessionCookiePath setting in tomcat. I know we set it to "/" for portal. On 11/14/2013 11:52 AM, Stuart Douglas wrote:

This does sound like a bug. Stuart ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com> > To: undertow-dev(a)lists.jboss.org > Sent: Thursday, 14 November, 2013 3:58:00 PM > Subject: [undertow-dev] jsession cookie path set to / > > the JSESSION cookie path seems to be set to '/'. This will bleed > sessionids between deployed WARs. I think it bleeds cached sessions too? > > I'll log a bug unless it is by design. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev > _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Bill Burke

2:35 p.m.

Should at least default to the context path. On 11/14/2013 3:22 PM, Nick Scavelli wrote:

There should be an option to set it to something. I believe this is the sessionCookiePath setting in tomcat. I know we set it to "/" for portal. On 11/14/2013 11:52 AM, Stuart Douglas wrote: > This does sound like a bug. > > Stuart > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com> >> To: undertow-dev(a)lists.jboss.org >> Sent: Thursday, 14 November, 2013 3:58:00 PM >> Subject: [undertow-dev] jsession cookie path set to / >> >> the JSESSION cookie path seems to be set to '/'. This will bleed >> sessionids between deployed WARs. I think it bleeds cached sessions >> too? >> >> I'll log a bug unless it is by design. >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Nick Scavelli

2:46 p.m.

Right, I was just stating the need to be able to set it to something other then the context path. I don't know if undertow has this feature (to set it to something else). On 11/14/2013 03:35 PM, Bill Burke wrote:

Should at least default to the context path. On 11/14/2013 3:22 PM, Nick Scavelli wrote: > There should be an option to set it to something. I believe this is the > sessionCookiePath setting in tomcat. I know we set it to "/" for portal. > > On 11/14/2013 11:52 AM, Stuart Douglas wrote: >> This does sound like a bug. >> >> Stuart >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com> >>> To: undertow-dev(a)lists.jboss.org >>> Sent: Thursday, 14 November, 2013 3:58:00 PM >>> Subject: [undertow-dev] jsession cookie path set to / >>> >>> the JSESSION cookie path seems to be set to '/'. This will bleed >>> sessionids between deployed WARs. I think it bleeds cached sessions >>> too? >>> >>> I'll log a bug unless it is by design. >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> undertow-dev mailing list >>> undertow-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >

Reply

Stuart Douglas

3:50 p.m.

The option already exists, via jboss-web.xml for a deployment, or for all deployments in wildfly. This is just a one liner in wildfly to make it default to the context path. Stuart ----- Original Message -----

From: "Nick Scavelli" <nscavell(a)redhat.com> To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Bill Burke" <bburke(a)redhat.com> Cc: undertow-dev(a)lists.jboss.org Sent: Thursday, 14 November, 2013 9:22:59 PM Subject: Re: [undertow-dev] jsession cookie path set to / There should be an option to set it to something. I believe this is the sessionCookiePath setting in tomcat. I know we set it to "/" for portal. On 11/14/2013 11:52 AM, Stuart Douglas wrote: > This does sound like a bug. > > Stuart > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com> >> To: undertow-dev(a)lists.jboss.org >> Sent: Thursday, 14 November, 2013 3:58:00 PM >> Subject: [undertow-dev] jsession cookie path set to / >> >> the JSESSION cookie path seems to be set to '/'. This will bleed >> sessionids between deployed WARs. I think it bleeds cached sessions too? >> >> I'll log a bug unless it is by design. >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev >> > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Bill Burke

4:25 p.m.

Shouldn't it default to the context path? That is the default for JBoss Web/AS7/EAP6 On 11/14/2013 4:50 PM, Stuart Douglas wrote:

The option already exists, via jboss-web.xml for a deployment, or for all deployments in wildfly. This is just a one liner in wildfly to make it default to the context path. Stuart ----- Original Message ----- > From: "Nick Scavelli" <nscavell(a)redhat.com> > To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Bill Burke" <bburke(a)redhat.com> > Cc: undertow-dev(a)lists.jboss.org > Sent: Thursday, 14 November, 2013 9:22:59 PM > Subject: Re: [undertow-dev] jsession cookie path set to / > > There should be an option to set it to something. I believe this is the > sessionCookiePath setting in tomcat. I know we set it to "/" for portal. > > On 11/14/2013 11:52 AM, Stuart Douglas wrote: >> This does sound like a bug. >> >> Stuart >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com> >>> To: undertow-dev(a)lists.jboss.org >>> Sent: Thursday, 14 November, 2013 3:58:00 PM >>> Subject: [undertow-dev] jsession cookie path set to / >>> >>> the JSESSION cookie path seems to be set to '/'. This will bleed >>> sessionids between deployed WARs. I think it bleeds cached sessions too? >>> >>> I'll log a bug unless it is by design. >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> undertow-dev mailing list >>> undertow-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev > >

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Stuart Douglas

4:26 p.m.

It should, when I said a one liner I mean't it was a one liner to fix the bug... Stuart ----- Original Message -----

From: "Bill Burke" <bburke(a)redhat.com> To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Nick Scavelli" <nscavell(a)redhat.com> Cc: undertow-dev(a)lists.jboss.org Sent: Thursday, 14 November, 2013 11:25:29 PM Subject: Re: [undertow-dev] jsession cookie path set to / Shouldn't it default to the context path? That is the default for JBoss Web/AS7/EAP6 On 11/14/2013 4:50 PM, Stuart Douglas wrote: > The option already exists, via jboss-web.xml for a deployment, or for all > deployments in wildfly. This is just a one liner in wildfly to make it > default to the context path. > > Stuart > > ----- Original Message ----- >> From: "Nick Scavelli" <nscavell(a)redhat.com> >> To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Bill Burke" >> <bburke(a)redhat.com> >> Cc: undertow-dev(a)lists.jboss.org >> Sent: Thursday, 14 November, 2013 9:22:59 PM >> Subject: Re: [undertow-dev] jsession cookie path set to / >> >> There should be an option to set it to something. I believe this is the >> sessionCookiePath setting in tomcat. I know we set it to "/" for portal. >> >> On 11/14/2013 11:52 AM, Stuart Douglas wrote: >>> This does sound like a bug. >>> >>> Stuart >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com> >>>> To: undertow-dev(a)lists.jboss.org >>>> Sent: Thursday, 14 November, 2013 3:58:00 PM >>>> Subject: [undertow-dev] jsession cookie path set to / >>>> >>>> the JSESSION cookie path seems to be set to '/'. This will bleed >>>> sessionids between deployed WARs. I think it bleeds cached sessions >>>> too? >>>> >>>> I'll log a bug unless it is by design. >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> undertow-dev mailing list >>>> undertow-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>> >>> _______________________________________________ >>> undertow-dev mailing list >>> undertow-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/undertow-dev >> >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Bill Burke

6:11 p.m.

Undertow ignores the following code when invoking within a ServletExtension: ServletSessionConfig cookieConfig = new ServletSessionConfig(); cookieConfig.setPath(deploymentInfo.getContextPath()); deploymentInfo.setServletSessionConfig(cookieConfig); At least Beta20 does (the one in wildfly master). Haven't tested against master. On 11/14/2013 5:26 PM, Stuart Douglas wrote:

It should, when I said a one liner I mean't it was a one liner to fix the bug... Stuart ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com> > To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Nick Scavelli" <nscavell(a)redhat.com> > Cc: undertow-dev(a)lists.jboss.org > Sent: Thursday, 14 November, 2013 11:25:29 PM > Subject: Re: [undertow-dev] jsession cookie path set to / > > Shouldn't it default to the context path? That is the default for JBoss > Web/AS7/EAP6 > > > On 11/14/2013 4:50 PM, Stuart Douglas wrote: >> The option already exists, via jboss-web.xml for a deployment, or for all >> deployments in wildfly. This is just a one liner in wildfly to make it >> default to the context path. >> >> Stuart >> >> ----- Original Message ----- >>> From: "Nick Scavelli" <nscavell(a)redhat.com> >>> To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Bill Burke" >>> <bburke(a)redhat.com> >>> Cc: undertow-dev(a)lists.jboss.org >>> Sent: Thursday, 14 November, 2013 9:22:59 PM >>> Subject: Re: [undertow-dev] jsession cookie path set to / >>> >>> There should be an option to set it to something. I believe this is the >>> sessionCookiePath setting in tomcat. I know we set it to "/" for portal. >>> >>> On 11/14/2013 11:52 AM, Stuart Douglas wrote: >>>> This does sound like a bug. >>>> >>>> Stuart >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" <bburke(a)redhat.com> >>>>> To: undertow-dev(a)lists.jboss.org >>>>> Sent: Thursday, 14 November, 2013 3:58:00 PM >>>>> Subject: [undertow-dev] jsession cookie path set to / >>>>> >>>>> the JSESSION cookie path seems to be set to '/'. This will bleed >>>>> sessionids between deployed WARs. I think it bleeds cached sessions >>>>> too? >>>>> >>>>> I'll log a bug unless it is by design. >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ >>>>> undertow-dev mailing list >>>>> undertow-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>>> >>>> _______________________________________________ >>>> undertow-dev mailing list >>>> undertow-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Stuart Douglas

Friday, 15 November Fri, 15 Nov

2:31 a.m.

Ah, this appears to be an ordering issue, this is being read in the ServletContext constructor, which is constructed before the extensions are run. I will fix. For now you can use something like: public class SessionCookieConfigListener implements ServletContextListener { @Override public void contextInitialized(final ServletContextEvent sce) { sce.getServletContext().getSessionCookieConfig().setPath("/servletContext"); } @Override public void contextDestroyed(final ServletContextEvent sce) { } } This should be all fixed today, and will hopefully make it into Wildfly very soon. Stuart ----- Original Message -----

From: "Bill Burke" <bburke(a)redhat.com> To: "Stuart Douglas" <sdouglas(a)redhat.com> Cc: "Nick Scavelli" <nscavell(a)redhat.com>, undertow-dev(a)lists.jboss.org Sent: Friday, 15 November, 2013 1:11:32 AM Subject: Re: [undertow-dev] jsession cookie path set to / Undertow ignores the following code when invoking within a ServletExtension: ServletSessionConfig cookieConfig = new ServletSessionConfig(); cookieConfig.setPath(deploymentInfo.getContextPath()); deploymentInfo.setServletSessionConfig(cookieConfig); At least Beta20 does (the one in wildfly master). Haven't tested against master. On 11/14/2013 5:26 PM, Stuart Douglas wrote: > It should, when I said a one liner I mean't it was a one liner to fix the > bug... > > Stuart > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com> >> To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Nick Scavelli" >> <nscavell(a)redhat.com> >> Cc: undertow-dev(a)lists.jboss.org >> Sent: Thursday, 14 November, 2013 11:25:29 PM >> Subject: Re: [undertow-dev] jsession cookie path set to / >> >> Shouldn't it default to the context path? That is the default for JBoss >> Web/AS7/EAP6 >> >> >> On 11/14/2013 4:50 PM, Stuart Douglas wrote: >>> The option already exists, via jboss-web.xml for a deployment, or for all >>> deployments in wildfly. This is just a one liner in wildfly to make it >>> default to the context path. >>> >>> Stuart >>> >>> ----- Original Message ----- >>>> From: "Nick Scavelli" <nscavell(a)redhat.com> >>>> To: "Stuart Douglas" <sdouglas(a)redhat.com>, "Bill Burke" >>>> <bburke(a)redhat.com> >>>> Cc: undertow-dev(a)lists.jboss.org >>>> Sent: Thursday, 14 November, 2013 9:22:59 PM >>>> Subject: Re: [undertow-dev] jsession cookie path set to / >>>> >>>> There should be an option to set it to something. I believe this is the >>>> sessionCookiePath setting in tomcat. I know we set it to "/" for portal. >>>> >>>> On 11/14/2013 11:52 AM, Stuart Douglas wrote: >>>>> This does sound like a bug. >>>>> >>>>> Stuart >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" <bburke(a)redhat.com> >>>>>> To: undertow-dev(a)lists.jboss.org >>>>>> Sent: Thursday, 14 November, 2013 3:58:00 PM >>>>>> Subject: [undertow-dev] jsession cookie path set to / >>>>>> >>>>>> the JSESSION cookie path seems to be set to '/'. This will bleed >>>>>> sessionids between deployed WARs. I think it bleeds cached sessions >>>>>> too? >>>>>> >>>>>> I'll log a bug unless it is by design. >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> _______________________________________________ >>>>>> undertow-dev mailing list >>>>>> undertow-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>>>> >>>>> _______________________________________________ >>>>> undertow-dev mailing list >>>>> undertow-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>> >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

4024

days inactive

4025

days old

undertow-dev@lists.jboss.org

Manage subscription

9 comments

3 participants

tags (0)

participants (3)

Bill Burke
Nick Scavelli
Stuart Douglas