DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419 Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Additional Comments From [EMAIL PROTECTED] 2002-07-03 08:25 ------- No. Just consider the simple case where you have multple application contexts. All of these contexts have their own cookie, since they are separated. If you grab always the first cookie, then you get a session ID that is not valid in the second context. The problem is, that from this (wrong) requestedSessionId() the HttpSession is looked up, thus not found. Bottomline: you can have only one application context running with cookies. I do not agree, that this is not a serious bug! And the second session can not even decide to use URL encoding instead, because cookies (even with invlalid session ids) decide there, that the sessio n needs not to be encoded. Please reconsider this - or we have to write in the documentation that the tomcat session handling can only handle sessions correctly if 1) there is only one context involved 2) we _only_ use cookies, since URL encoding is broken since it will only work in certain cirumstances. I can't see, why we should neglect this part of the spec! -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
