[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-461) If Session ID key stored in URL contains sticky session cookie name it it used for routing

Radoslav Husar (JIRA) issues at jboss.org
Thu Jul 30 08:24:03 EDT 2015 

    [ https://issues.jboss.org/browse/MODCLUSTER-461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094213#comment-13094213 ] 

Radoslav Husar commented on MODCLUSTER-461:
-------------------------------------------

The problem can be tracked down to original Apache httpd get_path_param function, which makes use of strstr() to locate the path element. This is indeed wrong and violates RFC.

Also tested this for Cookie-s, the wrongly named cookie is not being picked up by get_cookie_param.
This original problem would not have been even noticed, if modcluster first parsed the cookies which is more common way of specifying the jsession id, fixing in opened MODCLUSTER-462.

On related note, the path_param didn't treat colons correctly either, fixing by MODCLUSTER-285.

> If Session ID key stored in URL contains sticky session cookie name it it used for routing
> ------------------------------------------------------------------------------------------
>
>                 Key: MODCLUSTER-461
>                 URL: https://issues.jboss.org/browse/MODCLUSTER-461
>             Project: mod_cluster
>          Issue Type: Bug
>          Components: Native (httpd modules)
>    Affects Versions: 1.2.9.Final, 1.3.1.Final
>         Environment: Using the stock mod_cluster configuration shipped with EWS/JWS and EAP.
> Enterprise Web Server 2.x and 3.x
> JBoss EAP 6.3 and 6.4
> Used Tomcat sample application.
>            Reporter: Robert Bost
>            Assignee: Radoslav Husar
>              Labels: stickysession
>
> If I make a request with a valid JSESSIONID cookie and a URL like below, the value from the URL is used by mod_cluster for sticky session routing:
> {{curl -b "JSESSIONID=OTg+mUVLRceO2bqRIcsSJmlm.4e6189af-0502-3305-8ff3-fad7fee8b516" -v 'http://myserver/sample/hello.jsp;not.really.jsessionid=oops'}}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the mod_cluster-issues mailing list