[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-284) remove_session_route doesn't work as expected with session id in the URL
Radoslav Husar (JIRA)
issues at jboss.org
Wed Feb 5 13:34:28 EST 2014
[ https://issues.jboss.org/browse/MODCLUSTER-284?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Radoslav Husar updated MODCLUSTER-284:
--------------------------------------
Description:
Looking at the code of remove_session_route (and trying it) i saw that URLs lke this one
/test.jsp;jsessionid=1233454532432342.NODE01
/test.jsp;jsessionid=1233454532432342.NODE01?p1=v1&p2=v2
/test.jsp;jsessionid=1233454532432342.NODE01;otherparam=value
are not correctly parsed and the session id is not removed.
To note that it seems the code handles jsessionid as url parameter and not as URL "path parameter" (see for isntance http://doriantaylor.com/policy/http-url-path-parameter-syntax).
This is for instance a piece of tomcat code that does something like what remove_session_route should do (at least in the URL part):
{code}
/**
* Strips a servlet session ID from <tt>url</tt>. The session ID
* is encoded as a URL "path parameter" beginning with "jsessionid=".
* We thus remove anything we find between ";jsessionid=" (inclusive)
* and either EOS or a subsequent ';' (exclusive).
*
* taken from org.apache.taglibs.standard.tag.common.core.ImportSupport
*/
public static String stripSession(String url) {
StringBuffer u = new StringBuffer(url);
int sessionStart;
while ((sessionStart = u.toString().indexOf(";jsessionid=")) != -1) {
int sessionEnd = u.toString().indexOf(";", sessionStart + 1);
if (sessionEnd == -1)
sessionEnd = u.toString().indexOf("?", sessionStart + 1);
if (sessionEnd == -1) // still
sessionEnd = u.length();
u.delete(sessionStart, sessionEnd);
}
return u.toString();
}
{code}
was:
Looking at the code of remove_session_route (and trying it) i saw that URLs lke this one
/test.jsp;jsessionid=1233454532432342.NODE01
/test.jsp;jsessionid=1233454532432342.NODE01?p1=v1&p2=v2
/test.jsp;jsessionid=1233454532432342.NODE01;otherparam=value
are not correctly parsed and the session id is not removed.
To note that it seems the code handles jsessionid as url parameter and not as URL "path parameter" (see for isntance http://doriantaylor.com/policy/http-url-path-parameter-syntax).
This is for instance a piece of tomcat code that does something like what remove_session_route should do (at least in the URL part):
/**
* Strips a servlet session ID from <tt>url</tt>. The session ID
* is encoded as a URL "path parameter" beginning with "jsessionid=".
* We thus remove anything we find between ";jsessionid=" (inclusive)
* and either EOS or a subsequent ';' (exclusive).
*
* taken from org.apache.taglibs.standard.tag.common.core.ImportSupport
*/
public static String stripSession(String url) {
StringBuffer u = new StringBuffer(url);
int sessionStart;
while ((sessionStart = u.toString().indexOf(";jsessionid=")) != -1) {
int sessionEnd = u.toString().indexOf(";", sessionStart + 1);
if (sessionEnd == -1)
sessionEnd = u.toString().indexOf("?", sessionStart + 1);
if (sessionEnd == -1) // still
sessionEnd = u.length();
u.delete(sessionStart, sessionEnd);
}
return u.toString();
}
> remove_session_route doesn't work as expected with session id in the URL
> ------------------------------------------------------------------------
>
> Key: MODCLUSTER-284
> URL: https://issues.jboss.org/browse/MODCLUSTER-284
> Project: mod_cluster
> Issue Type: Bug
> Affects Versions: 1.1.3.Final, 1.2.0.Final
> Reporter: Stefano Nichele
> Assignee: Jean-Frederic Clere
>
> Looking at the code of remove_session_route (and trying it) i saw that URLs lke this one
> /test.jsp;jsessionid=1233454532432342.NODE01
> /test.jsp;jsessionid=1233454532432342.NODE01?p1=v1&p2=v2
> /test.jsp;jsessionid=1233454532432342.NODE01;otherparam=value
> are not correctly parsed and the session id is not removed.
> To note that it seems the code handles jsessionid as url parameter and not as URL "path parameter" (see for isntance http://doriantaylor.com/policy/http-url-path-parameter-syntax).
> This is for instance a piece of tomcat code that does something like what remove_session_route should do (at least in the URL part):
> {code}
> /**
> * Strips a servlet session ID from <tt>url</tt>. The session ID
> * is encoded as a URL "path parameter" beginning with "jsessionid=".
> * We thus remove anything we find between ";jsessionid=" (inclusive)
> * and either EOS or a subsequent ';' (exclusive).
> *
> * taken from org.apache.taglibs.standard.tag.common.core.ImportSupport
> */
> public static String stripSession(String url) {
> StringBuffer u = new StringBuffer(url);
> int sessionStart;
> while ((sessionStart = u.toString().indexOf(";jsessionid=")) != -1) {
> int sessionEnd = u.toString().indexOf(";", sessionStart + 1);
> if (sessionEnd == -1)
> sessionEnd = u.toString().indexOf("?", sessionStart + 1);
> if (sessionEnd == -1) // still
> sessionEnd = u.length();
> u.delete(sessionStart, sessionEnd);
> }
> return u.toString();
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the mod_cluster-issues
mailing list