Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-61

Tomcat7/8 breaks session stickyness with ;jsessionid= followed by /

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • JWS 3.0.1 DR2
    • JWS 3.0.0 ER1
    • tomcat7, tomcat8
    • None
    • Release Notes
    • Hide
      If a `/` is included after a `jsessionid` in a URL, this may result in Tomcat 7 and Tomcat 8 failing to maintain the client session. In this situation, Tomcat fails to understand the `jsessionid` string and creates a new `jsessionid`.

      This issue is currently under investigation.
      Show
      If a `/` is included after a `jsessionid` in a URL, this may result in Tomcat 7 and Tomcat 8 failing to maintain the client session. In this situation, Tomcat fails to understand the `jsessionid` string and creates a new `jsessionid`. This issue is currently under investigation.
    • Documented as Known Issue
    • Hide

      Play with urls.

      Show
      Play with urls.

      There is a test that plays with various URLs. The Tomcat server is expected to maintain the session even if the client has cookies disabled and keeps jsessionid in the URL. Apparently, whenever there is / after the jsessionid, Tomcat fails to understand the jsessionid string and creates a new jsessionid, i.e. client's context is lost.

      I think this might be a bug in Tomcat, because EAP 6.4 (jbossweb-7.5.7.Final) does not have this problem – all URLs pass the test with EAP 6.4. The test web app is the same.

      Here is a list of URLs that either keep or break the session with Tomcat 7/8 (I substituted actual long jsessionids with 'SNIP'):
      app?test=yes
      app/session;jsessionid=SNIP.tomcat-7-1
      app/session;jsessionid=SNIP.tomcat-7-1/
      app/session;jsessionid=SNIP.tomcat-7-1?test=yes
      app/session;jsessionid=SNIP.tomcat-7-1/?test=yes
      app/session;jsessionid=SNIP.tomcat-7-1/?test=OK;test2=yes
      app/session;jsessionid=SNIP.tomcat-7-1?test=OK;test2=yes
      app/session;jsessionid=SNIP.tomcat-7-1/&;?test=OK
      app/session;jsessionid=SNIP.tomcat-7-1?;?test=OK
      app/session;jsessionid=SNIP.tomcat-7-1?;?=44&test=OK
      app/session;jsessionid=SNIP.tomcat-7-1?;?=44&test=OK;GGGG=3
      app/session;jsessionid=SNIP.tomcat-7-1//?;?=44&test=OK;GGGG=3
      app/session;jsessionid=SNIP.tomcat-7-1//?;?=44&test=OK;GGGG=3&&&&&&&&&&&&&&&&&&&&&&&&&&&&777=666
      app/session;jsessionid=SNIP.tomcat-7-1?X=1+1
      app/session;jsessionid=SNIP.tomcat-7-1?X=1%2B1
      app/session;jsessionid=SNIP.tomcat-7-1?X=%E2%98%BB
      app/session;jsessionid=SNIP.tomcat-7-1?%E2%98%B9=%E2%98%BB
      app/session;jsessionid=SNIP.tomcat-7-1?image=Pep%E3%83%BCsi.jpg&productIdType=ABC
      app/session;jsessionid=SNIP.tomcat-7-1/this%20is%20space?atr=22&sp%20atr=30
      app/session;jsessionid=SNIP.tomcat-7-1/maps?saddr=Zhitomirskaya,+Pripyat%27,+Kiyevskaya+oblast%27,+Ukraine&daddr=Brno,+Czech+Republic&hl=en&sll=50.289794,23.346185&sspn=7.097999,13.897705&geocode=FdE3EAMd8BDLASnxbgQ-qn0qRzHUMz6baAmRmw%3BFTSo7gIddWb9ACkRUT_AOpQSRzGwsRRmD68ABA&oq=brno&t=h&dirflg=w&mra=ls&z=7

      WDYT?

      Note on mod_cluster

      I picked this up while testing mod_cluster, so I naturally tried a setup comprising:

      • balancer: Apache HTTP Server 2.4.6, mod_cluster 1.3.1, from JWS 3 ER1.1
      • workers: EAP 6.4 ER3
        This setup passes the test with all green , to I would advocate that it is the Tomcat that handles URLs differently, not the Apache HTTP Server.

              rmaucher Remy Maucherat
              mbabacek1@redhat.com Karm Karm
              Karm Karm Karm Karm
              Lucas Costi Lucas Costi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: