stackoom
  简体   繁体   中英

jsessionid as path parameter not working in Tomcat

 原文  2018-02-03 18:26:24       java/ session/ tomcat/ servlets/ jsessionid

Question

I'm using Tomcat 7.0.84, and my web app uses the Servlet 3.0 deployment descriptor. The web.xml file contains this: 

<session-config>
  <cookie-config>
    <name>JSESSIONID</name>
    <http-only>false</http-only>
  </cookie-config>
  <tracking-mode>URL</tracking-mode>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

I have a desktop application that logs into the web app and establishes a session. In response to a user action, it invokes a URL in a browser. Since I want the browser to be logged in with the same session, I append the jsessionid path parameter like this:

http://server/contextroot/path/;jsessionid=8BDF744802E7850D5AA4AB6535163504

I close my browser completely so when the URL is spawned, no previous session cookies will be sent. (My default browser is chrome, and I verify this is the case.)

I also very in code that the URL tracking mode is enabled, by logging the return value of ServletContext.getEffectiveSessionTrackingModes.

What I'm expecting is the browser request to automatically get the session indicated by the ;jsessionid parameter, but it is not happening. Each time Tomcat includes a new session cookie in its response.

This code used to work with a previous version of Tomcat (Probably 5.5) and the servlet 2.3 spec. I don't see anything in the Servlet 3.0 spec or Tomcat docs that indicate that this shouldn't work, and I'm all out of ideas.

Does anyone know why this isn't working as expected?

1 answers

solution1
 0 ACCPTED  2018-02-03 21:33:48

Here is how I got this to work:

In web.xml, I changed 

 <cookie-config>
    <name>JSESSIONID</name>
    <http-only>false</http-only>
  </cookie-config>

to: 

 <cookie-config>
    <name>jsessionid</name>
    <http-only>false</http-only>
  </cookie-config>

so that the session cookie name is now all lowercase, and exactly matches the name of the jsessionid path parameter.

Another way it worked was to change the path parameter name from jsessionid to JSESSIONID. This is because, in Tomcat, if you explictly configure a name for the session cookie, it uses that as the name of the path parameter used to pass in a session ID. This seems to be out of compliance with section 7.1.3 of the Servlet 3.0 spec, which says:

The session ID must be encoded as a path parameter in the URL string. The name of the parameter must be jsessionid. Here is an example of a URL containing encoded path information:

http://www.myserver.com/catalog/index.html;jsessionid=1234

However, it does comply with this excerpt from section 7.1.1:

If a web application configures a custom name for its session tracking cookies, the same custom name will also be used as the name of the URI parameter if the session id is encoded in the URL (provided that URL rewriting has been enabled).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question cookies with <path>/</path> and JSESSIONID How to mark JSESSIONID secure in tomcat? Handling jsessionid in custom header (Tomcat 6) Is it possible to disable jsessionid in tomcat servlet? Java,Tomcat,Sessions - JSessionId disappears Tomcat sets cookie JSESSIONID spontaneously Is it possible to change the path of the JSESSIONID cookie? JSESSIONID path in firefox and safari is different Tomcat creates a jsessionid cookie when session timeouts Spring Security and Tomcat 8 JSessionId response mismatch
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM