Summary: | I think the implement is difference with the document in function CoyoteAdapter.postParseRequest | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | Yuan Qingyun <engle_mars> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | a |
Priority: | P2 | ||
Version: | 6.0.14 | ||
Target Milestone: | default | ||
Hardware: | Other | ||
OS: | Windows XP | ||
Attachments: | Patch for java.org.apache.catalina.connector.CoyoteAdapter |
Description
Yuan Qingyun
2007-11-11 19:35:39 UTC
Whit v.5.5.x the issue takes place also. Surprisingly long-standing game :-) Will somebody from development team be so kind to rise the issue severity? Thanks! Yes, this is a bug. Looking for the cookie when cookies are disabled means that the session ID from the cookie is taken as the requested session ID rather than the ID in the URL. Your proposed patch looks to be heading in the right direction. I'll do some testing and commit a fix. As an aside, patches in diff -u format are a lot easier to manage. Anything more than a few lines is best provided as an attachment rather then in-line. A modified patch has been applied to trunk and proposed for 6.0.x and 5.5.x This has been fixed in svn for 6.0.x and will be included in 6.0.16 onwards. (In reply to comment #4) > This has been fixed in svn for 6.0.x and will be included in 6.0.16 onwards. Thanks, it's great! Can 6.0.16 release date be estimated? Created attachment 21341 [details] Patch for java.org.apache.catalina.connector.CoyoteAdapter The change of parseSessionCookiesId has problem. If access a invalid web application path it will throw NullPointerException. This is unexpect. The normal is return 404. The follow is the steps. 1. Deploy a web application that is name 'CookiesBug' in webapps. 2. Start tomcat. 3. Access /cookiesBug. Notice the characters are all in lower. 4. Will show NullPointerExecption at line 554 of class java.org.apache.catalina.connector.CoyoteAdapter. The reason is the access URL is invalid and tomcat can't find the context element for it. So it will throw NullPointerExecption. From 'http://tomcat.apache.org/tomcat-6.0-doc/config/context.html', I think if can't find the context, tomcat should trate it as default value, the 'cookies' is true. So we should get session tracing from cookies. The patch is for tomcat6.0.x The NPE only occurs if the ROOT web app is not present. I have fixed the coed in svn and proposed the improved fix for 6.0.x and 5.5.x Fixed in 5.5.x and will be included in 5.5.26 onwards. Updating version There is same problem in function parseSessionId() at line 505. If user declear use cookie to store the session id, why need parse the session id from encode URI? Please think about the test case. User declear use cookie to store the session and user rewrite the URI. For some reason the cookie is lost, in current code, what will happen. Tomcat will use the URI session, right? So, it the implement still has problem. So I suggestion add the follow code at the parseSessionId. Context context = (Context) request.getMappingData().context; if (context == null || context.getCookies()) return; The NPE has been fixed for 6.0.x and will be included in 6.0.16. I don't think you have a valid use case for the reverse case. Please discuss on the dev list if you disagree. |