https://issues.apache.org/bugzilla/show_bug.cgi?id=55266
Bug ID: 55266
Summary: Trailing slash redirect loses jsessionid attribute
Product: Tomcat 6
Version: 6.0.33
Hardware: Macintosh
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: fsommer0...@googlemail.com
Created attachment 30594
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30594&action=edit
contains a maven project including tomcat6-plugin to package the webapp and run
tomcat using maven. This archive also includes a deployable war beneath /dist.
I'm using URL rewriting and recently upgraded my tomcat version from 6.0.32 to
6.0.33. I figured out that since 6.0.33 the jsessionid attribute is omitted in
the Location header when Tomcat forces a trailing slash redirect e.g. from
/mypath to /mypath/. The effect is that the session information is lost after
the redirect.
This pretty looks like the same as an old bug 'Bug 34749'
(https://issues.apache.org/bugzilla/show_bug.cgi?id=34749) in Tomcat 5.
Steps to reproduce:
1. Deploy the attached war to a Tomcat >= 6.0.33 or use 'mvn package
tomcat6:run' if you whish to use maven tomcat6 plugin.
2. Create a session by requesting a page 'createsession.jsp'. The response
shows a sessionid that is required for step three and four.
curl -v "http://localhost:8080/jsessionid-issue/createsession.jsp";
3. Append the jsessionid attribute to the uri
"http://localhost:8080/jsessionid-issue/";. Please note the slash at the end of
the path.
curl -Lv "http://localhost:8080/jsessionid-issue/;jsessionid=_id_";
The jsessionid is taken into account. The response shows that the session of
the requested sessionid has been used.
4. Now, request the same uri without the trailing slash:
'http://localhost:8080/jsessionid-issue;jsessionid=_id_'
curl -Lv "http://localhost:8080/jsessionid-issue;jsessionid=_id_";
First, the output shows a 302 redirect that is forced by tomcat. The location
header shows the uri 'http://localhost:8080/jsessionid-issue/' with a trailing
slash now but the jsessionid attribute is missing.
Accordingly, the response of the second request shows that no session has been
used.
Sample:
1. 'mvn package tomcat6:run'
15.07.2013 07:46:46 org.apache.catalina.startup.Embedded start
INFO: Starting tomcat server
15.07.2013 07:46:46 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.37
15.07.2013 07:46:47 org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
15.07.2013 07:46:47 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
2. curl -v "http://localhost:8080/jsessionid-issue/createsession.jsp";
* About to connect() to localhost port 8080 (#0)
* Trying ::1...
* connected
* Connected to localhost (::1) port 8080 (#0)
> GET /jsessionid-issue/createsession.jsp HTTP/1.1
> User-Agent: curl/7.28.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Length: 92
< Date: Mon, 15 Jul 2013 06:22:11 GMT
<
########################################
created session: 968F6BEC133C69A20EAFF0D2093F7A56
########################################
3. curl -Lv
"http://localhost:8080/jsessionid-issue/;jsessionid=968F6BEC133C69A20EAFF0D2093F7A56";
* About to connect() to localhost port 8080 (#0)
* Trying ::1...
* connected
* Connected to localhost (::1) port 8080 (#0)
> GET /jsessionid-issue/;jsessionid=968F6BEC133C69A20EAFF0D2093F7A56 HTTP/1.1
> User-Agent: curl/7.28.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Length: 285
< Date: Mon, 15 Jul 2013 06:22:49 GMT
<
########################################
http session: 968F6BEC133C69A20EAFF0D2093F7A56
getRequestURI: /jsessionid-issue/;jsessionid=968F6BEC133C69A20EAFF0D2093F7A56
getRequestedSessionId: 968F6BEC133C69A20EAFF0D2093F7A56
isRequestedSessionIdFromURL: true
isRequestedSessionIdValid: true
########################################
4. curl -Lv
"http://localhost:8080/jsessionid-issue;jsessionid=968F6BEC133C69A20EAFF0D2093F7A56";
* About to connect() to localhost port 8080 (#0)
* Trying ::1...
* connected
* Connected to localhost (::1) port 8080 (#0)
> GET /jsessionid-issue;jsessionid=968F6BEC133C69A20EAFF0D2093F7A56 HTTP/1.1
> User-Agent: curl/7.28.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< Location: http://localhost:8080/jsessionid-issue/
< Transfer-Encoding: chunked
< Date: Mon, 15 Jul 2013 06:24:12 GMT
<
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8080/jsessionid-issue/'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8080 (#0)
> GET /jsessionid-issue/ HTTP/1.1
> User-Agent: curl/7.28.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Length: 189
< Date: Mon, 15 Jul 2013 06:24:12 GMT
<
########################################
http session is null
getRequestURI: /jsessionid-issue/
getRequestedSessionId: null
isRequestedSessionIdFromURL: false
isRequestedSessionIdValid: false
########################################
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
