Bug 41439 - JK 1.2.20 in IIS does not remove ";jsessionid=..." from unmapped requests
JK 1.2.20 in IIS does not remove ";jsessionid=..." from unmapped requests
Status: CLOSED FIXED
Product: Tomcat Connectors
Classification: Unclassified
Component: Common
unspecified
PC Windows Server 2003
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-01-23 01:06 UTC by Bjoern Andersen
Modified: 2008-10-05 03:09 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bjoern Andersen 2007-01-23 01:06:21 UTC
We run jk 1.2.20 on IIS6 on win2k3. Tomcat 5.0.28 on different machines. Some 
of our applications produce image-links containing the JK-Session information. 
Example:
<li><a 
href="/shoppingcc/common/boundary/login.do;jsessionid=D5E2FE08F02400159DFD62311
1F98FEE.p-ng-ptom2"><img 
src="/shoppingcc/img/btn_nav_main_login.gif;jsessionid=D5E2FE08F02400159DFD6231
11F98FEE.p-ng-ptom2" height="25" width="145" alt="Login"></a></li>

We are not exactly sure why, but not all applications do. We konw that on the 
first call jk adds the information to all links in case the browser does not 
support cookies to store the info. But why in image tags?

Anyway, on jk2.0.4, these pictures were displayed ok, so JK2 must have removed 
the ";jksession=..." part from the URL of the images. Even though images are 
not mapped and served from the iis directly.

Now, in the new 1.2.20 (maybe earlier versions too), the JK recognizes the 
token ";jksessionid" ans states in the log that it removed that part of the 
URL (tracelog):
--------------------------
[Mon Jan 22 18:20:18 2007] [4992:4356] [debug] jk_isapi_plugin.c (801): Filter 
started
[Mon Jan 22 18:20:18 2007] [4992:4356] [debug] jk_isapi_plugin.c (868): 
Virtual Host redirection 
of /callcenter.premiereshop.de:3126/shoppingcc/img/logo_premiereshop.gif;jsessi
onid=23EE66145F266B442E5444F475F12C84.p-hh-ptom
[Mon Jan 22 18:20:18 2007] [4992:4356] [trace] jk_uri_worker_map.c (542): enter
[Mon Jan 22 18:20:18 2007] [4992:4356] [debug] jk_uri_worker_map.c (569): 
Removing Session path ';jsessionid=23EE66145F266B442E5444F475F12C84.p-hh-ptom' 
URI '/callcenter.premiereshop.de:3126/shoppingcc/img/logo_premiereshop.gif'
[Mon Jan 22 18:20:18 2007] [4992:4356] [debug] jk_uri_worker_map.c (575): 
Attempting to map 
URI '/callcenter.premiereshop.de:3126/shoppingcc/img/logo_premiereshop.gif;jses
sionid=23EE66145F266B442E5444F475F12C84.p-hh-ptom' from 246 maps
[Mon Jan 22 18:20:18 2007] [4992:4356] [debug] jk_uri_worker_map.c (587): 
Attempting to map context 
URI '/n1.tc.haendler.premierefernsehen.de*/abcc/vertraege/*.pdf=p-ng-ptom1' 
source 'uriworkermap'
---------------------

...but the pictures are not displayed. in the IIS-Log you can see why:

---------------------
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-01-22 17:20:13
#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip cs-
version cs(User-Agent) cs(Referer) sc-status sc-bytes time-taken 
2007-01-22 17:20:13 
GET /shoppingcc/img/logo_premiereshop.gif;jsessionid=23EE66145F266B442E5444F475
F12C84.p-hh-ptom - - 172.17.67.35 HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.1;+.NET
+CLR+2.0.50727) - 401 1860 109
2007-01-22 17:20:18 
GET /shoppingcc/img/logo_premiereshop.gif;jsessionid=23EE66145F266B442E5444F475
F12C84.p-hh-ptom - adpw\admande40 172.17.67.35 HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.1;+.NET
+CLR+2.0.50727) - 404 1795 15
2007-01-22 17:20:20 
GET /shoppingcc/img/logo_premiereshop.gif;jsessionid=23EE66145F266B442E5444F475
F12C84.p-hh-ptom - adpw\admande40 172.17.67.35 HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.1;+.NET
+CLR+2.0.50727) - 404 1795 15
---------------------

There is still the ";jksession=..." in the requested URL.

All this resulting in the pictures of some applications are not beeing 
displayed on the first call of the webpage. After that, normaly the session 
data kicks in and the sessions tags are not added any more to the images.
Comment 1 Bjoern Andersen 2007-01-23 09:19:08 UTC
Additional info:
I checked with our developers. The URL suffix is generated in tomcats struts 
framework as soon as a session is initiated. Normally, this problem is covered 
by the cookies ability of most browsers. The first call to a page is normally 
a forward page, frameset, sessionless or has no pictures (like machine 
interfaces).
That explains why picture sources have a jsessionid and why that rarely leads 
to noticable flaws. But it doesn't cure the JK1-problem.
Please fix this soon. Thanks.
Comment 2 Rainer Jung 2007-01-28 12:07:10 UTC
Although one doesn't have to use the struts tags, if one needs static content
URLs, I still like the idea of being able to strip the suffixes. That way one
will be able to seperate static from dynamic content during deployment time and
developers can still stay on the safe side by encoding all URLs.

I added a new property strip_session, which can be set in the registry or the
proerties file (see docs) to a boolean value (see docs). Default is "false",
i.e. suffixes of the form ";jsessionid=..." will *not* be stripped. By turing
strip_session to true, they will be stripped, if the request doesn't get
forwarded to tomcat.

We still need to port this to Apache und Sun Web Server though ...

This will be part of version 1.2.21.
Comment 3 B.Haleblian 2007-03-30 02:56:06 UTC
(In reply to comment #2)
> Although one doesn't have to use the struts tags, if one needs static content
> URLs, I still like the idea of being able to strip the suffixes. That way one
> will be able to seperate static from dynamic content during deployment time and
> developers can still stay on the safe side by encoding all URLs.
> 
> I added a new property strip_session, which can be set in the registry or the
> proerties file (see docs) to a boolean value (see docs). Default is "false",
> i.e. suffixes of the form ";jsessionid=..." will *not* be stripped. By turing
> strip_session to true, they will be stripped, if the request doesn't get
> forwarded to tomcat.
> 
> We still need to port this to Apache und Sun Web Server though ...
> 
> This will be part of version 1.2.21.
> 

Will this apply to jkunmount hrefs as well as outer hrefs?
Comment 4 Rainer Jung 2008-01-01 16:32:32 UTC
Move a couple of fixed JK issues from resolved to closed.