Dear Christopher,
On further debugging, I found out the difference is seen between 6.0.32 (same
behavior as in 6.0.28 reported earlier) and 6.0.33 (same as in 7.0.54 reported
earlier ) I could not figure out which change ( as mentioned in link
https://tomcat.apache.org/tomcat-6.0-doc/changelog.html ) has caused this
difference.
Step to reproduce it?
1. Untar tomcat versions(Tomcat V6.0.32 and Tomcat V6.0.33)
2. Enable access log by uncommenting 'AccessLogValve' in conf/server.xml
as shown below
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="${catalina.base}/logs"
prefix="localhost_access_log." suffix=".txt" pattern="common"
resolveHosts="false"/>
3. Deploy a simple web application (login.jsp) in Tomcat.
// login.jsp in tomcat
<html>
<body>
<%
String str = request.getRequestURI();
System.out.println(str);
out.println(str);
%>
</body>
</html>
4. Start tomcat
5. Run client wget to execute the login.jsp
6. View access log file entry
-----Original Message-----
From: Christopher Schultz [mailto:[email protected]]
Sent: Tuesday, July 21, 2015 8:47 PM
To: Tomcat Users List
Subject: Re: Tomcat 7 (7.0.54) Login URL is Passing with JSESSION ID. | why
there is different behaviour in Tomcat 6 and Tomcat 7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rahul,
On 7/21/15 6:38 AM, Rahul Kumar Singh wrote:
> “;jsessionid=C1A67FB90E1300DF14EE027A3634A34B” passed in URL
> "localhost:8080/login.jsp;jsessionid=C1A67FB90E1300DF14EE027A3634A34B"
>
>
is not received in tomcat 6(V6.0.28). It is received in tomcat
> 7(V7.0.54). What is reason for the different behavior?
I'm not sure why the change in behavior, but when a client requests a protected
resource, the container has to redirect that client to the login page.
Before the redirect, a session is created to hold the saved-request to the
originally-requested protected resource. This session id needs to be preserved.
If the container can't tell if the client supports cookie-based session
tracking, it must encode the session id in the login URL just in case. You'll
find that, if you use a browser with cookies enabled, after the login page
there will be no jsessionid path parameters in your URLs.
Is the presence of the jsessionid path parameter a problem for you?
(And at this point, it's really a good idea to start planning your upgrade path
to Tomcat 8, which is quite reliable and stable. Tomcat 6 will EOL 2016-12-31:
http://tomcat.apache.org/tomcat-60-eol.html)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVrmJmAAoJEBzwKT+lPKRYhZ4P/0CcVBy4y8S4uXbgc/0ClZ3Z
nD5IBoCei2B3Nek1ioK9gTKpvC+ft0XmQ8ZSoqLKKaz8yuBR8S4Ghts6XzTKogSL
LKLm/WBoNlVw9WcD22HyiVx614irOWow1Z/kuWOHywxC1D+D9YGgN+I85xdc0ubo
gV/7831REdUZdBM0m9D58p/LBZn57cBC79/MPFNOY+jgh2vRuvTjQ2wugH1F4GMi
ll3Oj7DivwusVH5NBzR1kdr+8doM8IRTqpPJIXhptTlyZwCvo9BcdgQgapbAG0Ds
mn3DKBSfiAbxXt64syerLyZWsU0kHWu9nMFaglprFSN+enGXZIDOsi1VxhUbms+A
9n3mFJn4oXNnQ4dIy6V2ZKmRNiMYspSqeVh0qNb34qZYqfQHTjV2e7MYU+cwBk44
qy77vB2FAiwrAu73bF/E0U+aw6PrvjX/S2/6hfN6rePh7+nwX2cYrEGMHd57rUQA
OZWaJZ5YQAuguglkKQy7Kz6i7zpUy8IA0oKd7fEYweMBb8TxpxO9sck1UgRRu/Xl
SvUGShSVgOSGqR22mHzIawmCiPacDQBg/c3IdqkegRhMnOuLnkM8s08/oeNRazSC
ZLi8Ano7Yy97Mc064yKFn5pwFWSLCYN3p4brHkNrv49rulp5CUSU3jRZTdVCBueh
MG41DNmnywwNsl4yaJBG
=Ieud
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
DISCLAIMER:
-----------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and
intended
for the named recipient(s) only.
It shall not attach any liability on the originator or NEC or its
affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of NEC or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. .
-----------------------------------------------------------------------------------------------------------------------
