DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution||INVALID




--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 05:51 ---
The behaviour you describe is as per the relevant specs.

The servlet 2.5 spec only supports version 0 (netscape) and version 1 (RFC2109)
cookies. RFC2965 is not supported.

RFC2109 is clear (section 4.3.4) that port is not used by the user agent when
determining wether or not to send a cookie.

To get the behaviour you want, you need to use different host names or different
paths for each application. The users list can help you configure this.

RFC2965 does appear to offer the functionality you want but this is not
supported by the 2.5 servlet spec.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Http11Processor 'ignores' statusDropsConnection()

2007-12-25 Thread Aditya Prasad 
Hi all,

I was going through the 5.5 code, and noticed something that will
cause a problem for my service: users can hold open connections even
if my servlet indicates to Tomcat that the connection should be
dropped.  In particular, my servlet replies with
SC_REQUEST_ENTITY_TOO_LARGE, and expects Tomcat to thereafter close
the connection.  Unfortunately, as the following code shows, the
processor will continue to happily consume as many bytes as the client
sends, which is extra painful when the client is sending, say, 1 byte
per second.

http://www.docjar.com/html/api/org/apache/coyote/http11/Http11Processor.java.html#x894
http://www.docjar.com/html/api/org/apache/coyote/http11/InternalInputBuffer.java.html#x368
http://www.docjar.com/html/api/org/apache/coyote/http11/filters/ChunkedInputFilter.java.html#x178

(Sorry if that's not the appropriate way to reference code).  I wrote
a little test where the servlet immediately responds with
SC_REQUEST_ENTITY_TOO_LARGE (to a client that's slowly sending bytes
over the wire), and the thread that returned that response shows this
stack trace 30 seconds later:

"http-8080-Processor8" daemon prio=1 tid=0x0850eb60 nid=0x23bd
runnable [0xaed4..0xaed40780]
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at 
org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:747)
at 
org.apache.coyote.http11.InternalInputBuffer$InputStreamInputBuffer.doRead(InternalInputBuffer.java:777)
at 
org.apache.coyote.http11.filters.IdentityInputFilter.end(IdentityInputFilter.java:160)
at 
org.apache.coyote.http11.InternalInputBuffer.endRequest(InternalInputBuffer.java:368)
at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:881)
at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)

There's a perplexing caveat: I configured my server with a maximum of
1 thread, but there are still 10 http processors.  The first eight
will sit in the above state forever, consuming bytes.  The last two
somehow manage to close the connection -- so my test client, with 50
threads, has the first 8 tying up the first 8 connections, and the
last 42 get rejected one at a time by the last 2 server threads.

Sorry if this is a well-known issue, if it has been fixed in 6.0, or
if it's correct behavior.  I'm just trying to figure out a sensible
way of preventing malicious (or just dumb) users from causing this
particular DOS scenario.

Thanks!
Aditya

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 17:33 ---
I do as Mark Thomas  suggestion, use difference application in difference path,
but it is eunfortunate, this bug still here. Refer to the attatchment
app_cookie.jpg and app_without_cookie.jpg. The two application in same server
but use difference path. I have package the application that is named
webapps.zip. The attachment file server.xml is tomcat server config.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|INVALID |




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 17:38 ---
Created an attachment (id=21314)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21314&action=view)
http://issues.apache.org/bugzilla/attachment.cgi


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 17:39 ---
Created an attachment (id=21315)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21315&action=view)
access /cookiebug and the application use urlrewrite to store the session id


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 17:40 ---
Created an attachment (id=21316)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21316&action=view)
The webapps folder under tomcat/


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096


[EMAIL PROTECTED] changed:

   What|Removed |Added

  Attachment #21314|http://issues.apache.org/bug|access / and the application
description|zilla/attachment.cgi|as root use cookie to store
   ||the session id




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 17:44 ---
First access the / then access /cookiebug. You will find the page 
under /cookiebug show two difference sessionid. Why still find the 
incorrectness session?

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44096] - Find invalid session object.

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44096





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 17:45 ---
Please also note the same bug http://issues.apache.org/bugzilla/show_bug.cgi?
id=43839

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43914] - HTTP spec violation when generating HTTP redirects for folders without trailing slash

2007-12-25 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43914





--- Additional Comments From [EMAIL PROTECTED]  2007-12-25 21:23 ---
Section 14.30 of RFC2616 specifies the Location header as:

   Location   = "Location" ":" absoluteURI

Then, in section 3.2.1 it specifies the definition of absoluteURI:

   For definitive information on
   URL syntax and semantics, see "Uniform Resource Identifiers (URI):
   Generic Syntax and Semantics," RFC 2396 [42] (which replaces RFCs
   1738 [4] and RFC 1808 [11]). This specification adopts the
   definitions of "URI-reference", "absoluteURI", "relativeURI", "port",
   "host","abs_path", "rel_path", and "authority" from that
   specification.

Moving on to RFC2396, in section 3 you can find the start of the absoluteURI 
BNF. If you follow the production you will eventually see that the basic 
characters of the individual path components come down to this:

  pchar = unreserved | escaped |
  ":" | "@" | "&" | "=" | "+" | "$" | ","

Basically, the above says it can only contain unreserved characters and the 
characters explicitly specified, all the rest must be escaped.

Look into sections 2.3 and 2.4.1 for the exact definitions of "unreserved" and 
"escaped", and you will see that none of them include the space character, 
which means "pchar" doesn't include it, which in turn means "absoluteURI" 
doesn't include it, which means eventually that the Location header can't 
include it either. Same goes for many other special characters not explicitly 
covered by "pchar", not just space.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]