https://issues.apache.org/bugzilla/show_bug.cgi?id=47317
Summary: Incorrect session handling when using session="false"
in page directive?
Product: Tomcat 6
Version: unspecified
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Jasper
AssignedTo: dev@tomcat.apache.org
ReportedBy: paul.leb...@gmail.com
It appears as if Jasper is not handling sessions properly when
'session="false"' is specified in a JSPs page directive.
Consider the following test JSPs:
[test1.jsp]
<%@ page contentType="text/html;charset=UTF-8" %>
<%
session.setAttribute("foo", "bar");
%>
<a href="test2.jsp">go to test2</a>
[test2.jsp]
<%@ page contentType="text/html;charset=UTF-8" session="false" %>
<%= pageContext.findAttribute("foo") %><br />
<%= request.getSession().getAttribute("foo") %><br />
Install the JSPs into a web app and load test1.jsp. Then follow the link to
test2.jsp. You will see that the findAttribute() call returns null (unlike the
second call). It does not find the attribute in the session.
The specification (JSP2.1 pg 147) regarding session=false states:
"Indicates that the page requires participation in an (HTTP)
session.
If true then the implicit script language variable named session
of type javax.servlet.http.HttpSession references the
current/new session for the page.
If false then the page does not participate in a session; the
session implicit variable is unavailable, and any reference to
it within the body of the JSP page is illegal and shall result in
a fatal translation error."
This section only seems to describe whether the 'session' implicit variable is
available or not. It does *not* say that the JSP is restricted from accessing
session attributes using other methods.
The definition for findAttribute() (pg 2-30) states:
"Searches for the named attribute in page, request, session (if valid),
and application scope(s) in order and returns the value associated or null."
I take "if valid" to mean "a session exists and has not been invalidated".
IMO Jasper is being more over-enthusiatic here in restricting access to session
attributes via the pageContext variable. Obviously there is a workaround by
using request.getSession().getAttribute(). But if you can do it that way, then
why not via pageContext?
Suggested fix (not tested):
In PageContextImpl._initialize():
// Setup session (if required)
- if (request instanceof HttpServletRequest && needsSession)
- this.session = ((HttpServletRequest) request).getSession();
+ if (request instanceof HttpServletRequest)
+ this.session = ((HttpServletRequest) request).getSession(needsSession);
The intention here is that if needsSession is set, a session will be created on
initialisation. But if needsSession is false, the session will only be
accessible if it existed on page load. But again I have not tested this fix.
Background: the reason I struck this is because I was trying to make an app
more scalable by following the recommended practice of only creating a session
after login. However in order to stop JSPs automatically creating a session
you need to do the server=false thing. Unfortunately I then found that Tomcat
then makes it difficult to access any session that later gets created manually.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
