subject:"JSESSIONID Stripping"

Re: JSESSIONID Stripping

2011-10-07 Thread Paul Wilson

On 7 October 2011 12:10, Konstantin Kolinko wrote: > 2011/10/7 Paul Wilson : > > Hi there, > > > > Simple question. If a client posts: > > > > POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1 > > > > whilst also specifying: > > > > Cookie: $Version="0"; JSESSIONID=BF18D19ED62

Re: JSESSIONID Stripping

2011-10-07 Thread Konstantin Kolinko

2011/10/7 Paul Wilson : > Hi there, > > Simple question. If a client posts: > > POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1 > > whilst also specifying: > > Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64; > $Path=/app/ > > isn't Tomcat supposed to strip t

JSESSIONID Stripping

2011-10-07 Thread Paul Wilson

Hi there, Simple question. If a client posts: POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1 whilst also specifying: Cookie: $Version="0"; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64; $Path=/app/ isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing 'i