Summary: | JK 1.2.20 in IIS does not remove ";jsessionid=..." from unmapped requests | ||
---|---|---|---|
Product: | Tomcat Connectors | Reporter: | Bjoern Andersen <bjoern> |
Component: | Common | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | CLOSED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Windows Server 2003 |
Description
Bjoern Andersen
2007-01-23 01:06:21 UTC
Additional info: I checked with our developers. The URL suffix is generated in tomcats struts framework as soon as a session is initiated. Normally, this problem is covered by the cookies ability of most browsers. The first call to a page is normally a forward page, frameset, sessionless or has no pictures (like machine interfaces). That explains why picture sources have a jsessionid and why that rarely leads to noticable flaws. But it doesn't cure the JK1-problem. Please fix this soon. Thanks. Although one doesn't have to use the struts tags, if one needs static content URLs, I still like the idea of being able to strip the suffixes. That way one will be able to seperate static from dynamic content during deployment time and developers can still stay on the safe side by encoding all URLs. I added a new property strip_session, which can be set in the registry or the proerties file (see docs) to a boolean value (see docs). Default is "false", i.e. suffixes of the form ";jsessionid=..." will *not* be stripped. By turing strip_session to true, they will be stripped, if the request doesn't get forwarded to tomcat. We still need to port this to Apache und Sun Web Server though ... This will be part of version 1.2.21. (In reply to comment #2) > Although one doesn't have to use the struts tags, if one needs static content > URLs, I still like the idea of being able to strip the suffixes. That way one > will be able to seperate static from dynamic content during deployment time and > developers can still stay on the safe side by encoding all URLs. > > I added a new property strip_session, which can be set in the registry or the > proerties file (see docs) to a boolean value (see docs). Default is "false", > i.e. suffixes of the form ";jsessionid=..." will *not* be stripped. By turing > strip_session to true, they will be stripped, if the request doesn't get > forwarded to tomcat. > > We still need to port this to Apache und Sun Web Server though ... > > This will be part of version 1.2.21. > Will this apply to jkunmount hrefs as well as outer hrefs? Move a couple of fixed JK issues from resolved to closed. |