[jboss-jira] [JBoss JIRA] (WFLY-4782) ; jsessionid= in URL not supported

Francesco Pagetti (JIRA) issues at jboss.org
Sun Jan 24 21:17:00 EST 2016 

    [ https://issues.jboss.org/browse/WFLY-4782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13152780#comment-13152780 ] 

Francesco Pagetti commented on WFLY-4782:
-----------------------------------------

The Jenkins team are aware of the issue  

https://issues.jenkins-ci.org/browse/JENKINS-22358
https://github.com/jenkinsci/jenkins/commit/3addbabf8afae39022440d63216a360233dabc80

However I wonder why the JSESSIONID is there in first instance.

Looking at the source code I can see that during the login in the method org.acegisecurity.ui.AbstractProcessingFilter#successfulAuthentication it is called org.acegisecurity.ui.AbstractProcessingFilter#sendRedirect that delegates to javax.servlet.http.HttpServletResponse#encodeRedirectURL the resolution of the URL. Accordingly to specs of encodeRedirectURL:

"Encodes the specified URL for use in the sendRedirect method or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. Because the rules for making this determination can differ from those used to decide whether to encode a normal link, this method is separete from the encodeURL method.
All URLs sent to the HttpServletResponse.sendRedirect method should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies."

In the HttpServletResponse implementation on Tomcat, this method doesn't add the JSESSIONID, in the implementation on Undertow it does, this is why this "bug" occurs mainly on JBoss/undertow. 
 
The question is, why on Undertow encodeRedirectURL decides to add the session information in the URL?





  

> ;jsessionid= in URL not supported
> ---------------------------------
>
>                 Key: WFLY-4782
>                 URL: https://issues.jboss.org/browse/WFLY-4782
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 9.0.0.CR2
>         Environment: Linux/jdk1.7/mysql
>            Reporter: Micheal Delson Nadar
>            Assignee: Stuart Douglas
>            Priority: Blocker
>
> I get the below url with jsessionid after logging in my application and get "Not Found"
> http://xxx.yy.xxx.x:pppp/portal/;jsessionid=dDIsgr_KfIXFBmxvClAWbY2Z.wfstandalone
> if i remove the ;jsessionid=dDIsgr_KfIXFBmxvClAWbY2Z.wfstandalone from url then it works fine...



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list